This chapter describes issues associated with Oracle Adaptive Access Manager. It includes the following topics:
This section describes general issues. It includes the following topics:
OAAM Sessions is Not Recorded When IP Address from Header is an Invalid IP Address
Checkpoint Boxes in Session are Displayed with Same Timestamp
OAAM sessions were not recorded for some header-based IP addresses.
Header based IP addresses are not accepted by default. To enabled the reading of IP addresses from the header, set vcrypt.tracker.ip.detectProxiedIP
to true
. When header IP addresses are enabled, only valid IP addresses are used. If the header contains an invalid IP address, the actual request IP address is used.
The same timestamp is displayed in Checkpoint boxes in the Session Details page when multiple transactions are triggered in the same session. This bug has been fixed for OAAM Online.
When an OAAM Agent Case is autogenerated from a Configurable Action, the User Details pane is populated with details of the user for the session where the case was created. An autogenerated Agent case should not contain user-specific data. Only Escalated Agent cases should display user details since they are the only cases specific to a single end user.
This section describes policy management issues and workarounds. It includes the following topics:
Rule Condition to Check Consecutive Transactions Fails Entity Check
Exclude IP List Parameter for User and Device Velocity Rule Conditions
OAAM Offline Displays Only the Last Rule Executed Overwriting Previous
When two instances of an entity are associated to an OAAM Transaction and a filter condition is set up to compare an attribute of one entity instance with the corresponding attribute of the other entity instance, the OAAM Administration Console can only configure a comparison between the same attribute instead of a comparison between the different attributes.
For example:
Two instances of the Address
entity are associated with a Transaction, one with the instance name BillingAddr
and another with the instance name ShippingAddr
. If the user configures Check Current Transaction using the filter condition
to compare Billing.line1
with ShippingAddr.line1
, after saving the rule, the OAAM Administration Console always shows the instance --- line1 of BillingAddr
in the dropdown for the attribute the user wants to compare and the dropdown for the attribute the user is comparing to.
The rule condition TRANSACTION: Check if consecutive Transactions in given duration satisfies the filter conditions
does not trigger. The condition returns False
and the entity check fails with exceptions in the debug log.
The Exclude IP List
parameter was added to the following conditions:
Device: Velocity from last login
User: Velocity from last login
This parameter allows you to specify a list of IP addresses to ignore. If the user's IP address belongs to that list, then this condition always evaluates to false
and no action and/or alert is triggered. If the user's IP address is not in that list or if the list is null or empty, then the condition evaluates the velocity of the user or the device from the last login. If the velocity of the user or the device from the last login is more than the configured value in the rule, the condition evaluates to true
and the condition is triggered.
When multiple transactions are run in the same session, only the rule triggered for the last transaction is displayed in OAAM offline. The rules from the previous transactions are overwritten. To fix this bug, you must apply the patch and update the database schema.
The User: Check first login time
condition returned the same value regardless of when the user logged in.
This section describes OAAM Transaction issues. It includes the following topics:
OAAM Displays Only the Last Rule Executed and Overwrites Previous Rules
OAAM Transaction Cannot Be Created with Numeric Parameter of More than 16 Digits
Transaction Mapping Substring Error for First Character Value
Update Time for Entity Is Updated Without Any Change in Entity Data
When multiple transactions are triggered in the same session which result in multiple alerts and policies execution, OAAM displays only the most recent alerts and policies triggered and overwrites the alerts and policies from previous transactions.
When there are more than 25 data elements configured for a transaction, the Session Details displays only transaction details for the first 25 items. The page has no scroll bars for scrolling.
Alerts are not visible for transactions beyond the 25th. If there are more than 25 checkpoint boxes containing alerts, they are not visible in the Session Details, although the data is seen in the database.
If a user defines any numeric value more than 16 digits in a transaction field, the transaction creation fails with the error on the server of ORA-01438: value larger than specified precision allowed for this column.
Transactions listed in Session Transactions section of Session Details are duplicated after 25 transactions in a session.
Transaction ID association with Alert is not working even after passing transactionId
in processRules
API. The bug has been fixed for the server-side.
Transaction status needs to be displayed in the Transaction Details page so that the Fraud team will be able to see if a transaction was attempted but did not complete. This provides information on both the behavior of customers and fraudsters and also of the functioning of the rules. The Fraud team does not believe they can do their job effectively if they cannot tell the transaction status. The workaround is to display the status value for each transaction on the Session Transactions panel along with Name, Transaction Id, Description, and Timestamp. The value displayed would be mapped from the property tracker.transaction.status.enum
(e.g. 1
=Success, 99
=Pending).
When the user performs a transaction mapping of the type SubString
, the first character of the value is missing from the mapping result because the oaam.transaction.mapping.startindex.min
property was set to 1
. Setting the property to 1
starts the substring operation from the second character of the string. A fix has been made so that this property is assigned to 0 so that the substring operation starts from the first character of the string.
When using an entity that is mapped to a Transaction Definition in a transaction, the entity's update time is updated by the OAAM Server even if no changes were made to the entity data (other fields are not updated). Database performance is impacted when this occurs.
This section describes Knowledge-Based Authentication issues. It includes the following topics:
Closing Browser on Image and Security Phrase Registration Page
OAAM Change Password Does Not Display Any Validation for Password Fields
Registered Questions Are Deleted and Subsequent Challenge Does Not Succeed
The KBA Registration Logic page does not display KBA Logic (Question per menu, Categories per menu, Number of questions the user will register) because the previous out of the box snapshot did not contain the properties for the KBA Registration Logic page. The patch fixes this problem. To effect this fix, the new out of the box snapshot file (oaam_base_snapshot.zip
) needs to be imported. Note that importing this file will overwrite the existing content in the server.
If you do not want to import the snapshot file, but want to fix the registration logic related issue, you can create the following properties (with default values as shown):
challenge.question.registration.groups.categories.count=5 challenge.question.registration.groups.count=3 challenge.question.registration.groups.minimum.questions.per.category.count=1 challenge.question.registration.groups.questions.count=5
The patch also fixes the policy overrides in such a way that when the user fails the OTP challenge, the challenge does use KBA as a fallback. If you do not want to overwrite the contents but just import the newer policies, you can import oaam_policies.zip
as a policies import. Importing the policies does not fix the registration logic related bug.
Answer Logic checks if the answer provided by the user matches closely to the ones provided during registration. Answer Logic relies abbreviations.
An updated Answer Logic abbreviations resource bundle is available in OAAM 11.1.1.5. In the new resource bundle, the following are considered a match:
Registered Answer | Given Answer |
---|---|
Missus |
Mrs |
Mister |
Mr |
Sergeant |
Sgt |
Mrs |
Missus |
Mr |
Mister |
Sgt |
Sergeant |
The following KBA questions from previous releases were deleted from the kba_questions.zip
(English) file and oaam_base_snapshot.zip
file for Federal Financial Institutions Examination Council (FFIEC) compliance:
Delete or deactivate the following 10 questions:
What year was your oldest child born?
What year did your oldest child start school?
What year did your youngest child start school?
What is your eldest child's middle name?
What is the first name of your youngest child?
What year was your youngest child born?
What is the first name of your oldest child?
What is your youngest child's birthday?
What is your youngest child's middle name?
What is your oldest child's birthday?
Delete or deactivate the following 18 questions:
What year did you graduate from high school?
What year did you graduate from junior high school?
What city was your high school in?
What were your college colors?
What year did you graduate from grade school?
What was the mascot of your college?
What were your high school colors?
What was the mascot of your high school?
What is the name of a college you applied to but did not attend?
In what city was your first elementary school?
What year did you start high school?
What year did you start junior high school?
What year did you start grade school?
What year did you graduate from college?
What year did you start college?
What was your major in college?
What was the first school you ever attended?
What city was your college in?
Delete or deactivate the following 2 questions:
What is the first name of your closest childhood friend?
What is your height?
Parents, Grandparents, Siblings Category
Delete or deactivate the following 17 questions:
What year was your father born?
What is your father's birthday?
What is your oldest sibling's nickname?
In which city was your father born?
In which city was your mother born?
What is your parent's current street address number?
What is your parent's current street name?
What is your youngest sibling's nickname?
What is your parent's current ZIP code?
What year was your mother born?
What are the last 4 digits of your parent's phone number?
What is your maternal grandmother's first name?
What is your paternal grandmother's first name?
What is the first name of your youngest sibling?
What is your paternal grandfather's first name?
What is your mother's birthday?
What is the first name of your eldest sibling?
Delete or deactivate the following 18 questions:
Where did you go on your honeymoon?
What year did you get married?
What year was your significant other born?
What is your significant other's birthday?
What date is your wedding anniversary?
In what city did you meet your spouse for the first time?
What city was your significant other born in?
What is the first name of your significant other's mother?
What is the first name of your significant other's father?
What is the last name of your significant other's eldest sibling?
What is the first name of your significant other's youngest sibling?
What high school did your significant other attend?
What was the last name of your best man or maid of honor?
What was the first name of your best man or maid of honor?
Name of the place where your wedding reception was held.
What is your spouse's nickname?
What state was your significant other born in?
What is the last name of your significant other's youngest sibling?
Delete or deactivate the following 4 questions:
What is the mascot of your favorite sports team?
What are the colors of your favorite sports team?
What team is the biggest rival of your favorite sports team?
What is your all time favorite sports team?
Delete or deactivate the following 9 questions:
What is the ZIP code where you grew up?
Who was the US President when you were born?
How old was your father when you were born?
How old was your mother when you were born?
What is the name of the hospital you were born in?
What is the ZIP code of your birthplace?
What is the holiday closest to your birthday?
What state were you born in?
What city were you born in?
If the user tries to register his security image and phrase for the first time and during the process, he closes his browser window on the registration and user preferences pages or returns to the login page, the last image and phrase presented are accepted as the default even if he has not explicitly chosen them by clicking the Continue button.
A fix has been made so that the image and phrase registration only saves the image and phrase after the user clicks Continue on the registration and user preferences pages.
The OAAM Change Password page in an OAAM and OIM integration does not display any validation for the Password field. The issues are as follows:
If the user does not enter a password, but clicks Submit, there is no validation that the fields are empty
If the user enters a new password and then the confirmation password, the password is accepted regardless of whether they are the same or different
If the user changes his password, the old password is not validated to confirm that it is correct
An ORA-01722
error can occur when adding a new challenge question.
If a user's question set contains a deleted question and/or if a user's registered questions contain a deleted question and/or if the KBA registration logic is out of alignment with the user's registered questions and question set (the number of questions/categories and so on), when the user tries to update his question set but cancels or closes the browser window or the session times out without saving, that user's existing questions are deleted from the database. The subsequent challenge does not succeed as the existing questions have been deleted.
This issue has been fixed so that now if a user's registered questions have been deleted in the process of resetting the questions, the user will be asked to re-register new ones on the next login.
This section describes OAAM integration issues. It includes the following topics:
setupOAMTapIntegration.sh Does Not Set oaam.uio.oam.secondary.host.port
OAAM Does Not Support Juniper Single Sign-On for Authentication and Forgot Password Flow
OAAM Should Call UserManager.Unlock() in the Forgot Password Workflow
The setupOAMTapIntegration.sh
script does not set the secondary OAM host information (oaam.uio.oam.secondary.host.port
value) during the configuration of Oracle Adaptive Access Manager for the Oracle Access Manager and Oracle Adaptive Access Manager integration. The workaround is to set the property value through the property editor.
The OAAM Authentication flow is not invoked when integrated with Juniper SSL. With invoking OAAM, the integration can detect fraud and determine risk during the authentication flow and accordingly strongly authenticate the user using OAAM capabilities like Challenge, Block, and other actions. The Juniper SSL and OAAM integration flow should be as follows:
The user tries to access a web application or URL that is secured by Juniper SSL, and Juniper SSL detects whether the user is authenticated or not.
If the user is authenticated then he is allowed to proceed to the web application.
If the user is not authenticated, he is redirected to the OAAM Server. The OAAM Server displays the User ID page and prompts the user to enter his User ID. Once the user enters his User ID, OAAM evaluates the Pre-Authentication checkpoint policies and checks to see if the user has to be blocked.
OAAM then checks to see if the user has registered for an Authentication Pad. If so, it displays the registered Authentication Pad, otherwise it displays a generic text pad.
OAAM Server displays the Password page with the Authentication Pad and prompts the user to enter his password. Once the password is entered, it is validated against the user store (the user store can be LDAP, Active Directory, or any active user store). It also identifies the device by running the device identification process.
If the credentials are incorrect then OAAM displays an error page and asks the user to enter his credentials again.
If the credentials are correct then OAAM evaluates Post-Authentication checkpoint policies. Based on the outcome of the policy OAAM might challenge or block the user.
If the outcome of Post-Authentication is ALLOW then OAAM determines if the user has to be registered. Based on the types of registration, OAAM takes the user through registration pages.
If the outcome of Post-Authentication is CHALLENGE and if the user is already registered for at least one of the challenge mechanisms, OAAM challenges the user. If the user is able to answer the challenge then he would be allowed to continue to the next step. As the next step OAAM fetches the user attributes from the user store and then creates the SAML response, signs it and then it posts to the Juniper SSL redirection URL. Juniper SSL then takes control, validates the SAML payload, and lets the user access the web application.
If the outcome of Post-Authentication is BLOCK then user would be blocked and he would not be able to access the web application.
The Step Up Authentication feature is available with OAAM. Step Up Authentication allows users who have been authenticated by OAM at a lower level to access resources protected by OAAMTAPScheme
configured at a relatively higher authentication level. When the user tries to access a protected resource that is configured at a higher level, OAAM runs policies to determine how to further authenticate the user so as to gain the required level of authentication needed for access to the protected resource. The user is not taken to the normal login flow since he is already authenticated.
The property to disable/enable Step Up Authentication mode in TAP Integration: By default the Step Up Authentication mode is enabled. However if you want to disable this feature, then set property oaam.uio.oam.integration.stepup.enabled
as false
.
Change in behavior for the end user: For an end user using the Access Manager-OAAM TAP Integration, the change in behavior is as follows:
If a user has already been authenticated by Access Manager and he tries to access a resource protected under TAPScheme
with OAAM as the TAP partner, the user is not taken to the OAAM login flow (since the user is already authenticated). However, OAAM runs its fraud detection policies and might ask challenge questions or block the user depending on the risk evaluated by the policies.
In Access Manager-OAAM TAP integration, when an incorrect user name or password is supplied, OAAM shows following error:
There was some technical error processing your request. Please try again
The patch fixes this problem: the error message now indicates an invalid user name or password error instead of a technical error.
The client calling Web services is not getting exceptions for timeouts. As a result the client cannot handle SOAP timeouts in a proper way because it cannot determine whether the exception is a SOAP timeout or any other faults. A fix has been implemented so that a specific error code for timeouts is passed to the client. The client can therefore handle the fault per the information contained in the exception.
The method handleException()
has introduced a class VCryptSOAPGenericImpl
which can be overridden to include more error codes based on business requirements. Currently it has been set for soaptimeout
errors:
protected String handleException(String requestName, Exception ex, String resultXml) {
In the Forgot Password flow executed by OAAM in an Oracle Identity Manager and Access Manager integration, the user is not unlocked when he changes his password. When OAAM executes the changePassword()
API, Oracle Identity Manager does not automatically unlock the user.
The following steps are needed to enable automatic unlocking of the user on the Oracle Identity Manager side when OAAM executes the changePassword ()
API during the Forgot Password flow:
Log in to the OAAM Administration Console.
In the navigation pane, click Environment and double-click Properties. The Properties search page is displayed.
Set oaam.oim.passwordflow.unlockuser
to true
.
By default this property value is set to false
. By setting this property to true
OAAM will call the unlock
API of Oracle Identity Manager in the Change Password task flow.
This section describes OAAM BI Publisher reports and Sessions issues and workarounds. It includes the following topics:
Alert Message Link in Session Details Page Does Not Open the Alert Details
OAAM Rules Breakdown Report Does Not Provide Correct Information
When the user tries to access an alert details page from an alert message link in the Session Details page, the page fails to open.
To work around this issue, use the alert message link on the Session Search page.
The BI Publisher Rules Breakdown
report does not give a summary of the rules which have been triggered by the checkpoint and policy. The values given are not complete or accurate.
For the report to work, run the following script:
create or replace view OAAM_FIRED_RULES_VIEW as (
select actionMap.create_time, ruleMaps.rule_map_id, actionMap.request_id,
actionMap.runtime_type,
sessions.user_id, sessions.node_id, actionMap.action_list
from (select substr(attr_name, 7) ruleInstanceId, case when
length(trim(translate(attr_value, '+-.0123456789', ' '))) is null then
CAST(attr_value AS NUMBER(16)) else null end rule_map_id, fprint_id from
v_fp_map where attr_name like 'RLD_ID%') ruleMaps
inner join vt_session_action_map actionMap on actionMap.rule_trace_fp_id =
ruleMaps.fprint_id
inner join vcrypt_tracker_usernode_logs sessions on sessions.request_id =
actionMap.request_id
inner join (select substr(attr_name, 11) ruleInstanceId, case when
length(trim(translate(attr_value, '+-.0123456789', ' '))) is null then
CAST(attr_value AS NUMBER(16)) else null end attr_value, fprint_id from
v_fp_map where attr_name like 'RLD_STATUS%') ruleStatus
on ruleStatus.ruleInstanceId = ruleMaps.ruleInstanceId and
ruleStatus.fprint_id = ruleMaps.fprint_id
where ruleStatus.attr_value=1
union select ruleLogs.create_time, ruleLogs.rule_map_id,
policySetLogs.request_id, policySetLogs.runtime_type,
userNodeLogs.user_id, userNodeLogs.node_id, ruleLogs.action_list
from VR_RULE_LOGS ruleLogs
inner join VR_MODEL_LOGS modelLogs on ruleLogs.MODEL_LOG_ID =
modelLogs.MODEL_LOG_ID
inner join VR_POLICY_LOGS policyLogs on modelLogs.POLICY_LOG_ID =
policyLogs.POLICY_LOG_ID
inner join VR_POLICYSET_LOGS policySetLogs on policyLogs.POLICYSET_LOG_ID =
policySetLogs.POLICYSET_LOG_ID
inner join VCRYPT_TRACKER_USERNODE_LOGS userNodeLogs on
policySetLogs.REQUEST_ID = userNodeLogs.REQUEST_ID
where ruleLogs.status=1);
commit;
This section describes the following configuration issues and workarounds:
Database Archive and Purge Scripts Missing from Installation
Juniper Login Fails Due to Incorrect CN Value and No UID Attribute in SAML Response
OAAM is certified on Oracle Linux 6 (OEL6) with the Unbreakable Enterprise Kernel (UEK), Oracle Linux 6 (OEL6) with the Red Hat Compatible Kernel, and Red Hat Enterprise Linux 6 (RHEL6). Note that OAAM 11g is certified on Oracle Linux 6 but during the installation of Oracle Identity Management (Oracle IdM), the user will see an alert message during the pre-requisite check. This error does not impact the installation and can be ignored. The user can click OK to continue the installation.
Bug 15833450 OAAM 11.1.1.5 is certified on Oracle Linux 6 (OEL6) with the Unbreakable Enterprise Kernel (UEK), Oracle Linux 6 (OEL6) with the Red Hat Compatible Kernel, and Red Hat Enterprise Linux 6 (RHEL6).
Case and monitor data purge scripts are missing from the oaam_db_purging_scripts.zip
file.
For purging case data, the following scripts need to be included:
create_case_purge_proc.sql
The create_case_purge_proc.sql
script is required to set up the archive and purge routines for the Oracle database.
exec_sp_purge_case_data.sql
The exec_sp_purge_case_data.sql
is required to perform the archive and purge of case data.
For purging monitor data, the following scripts need to be included:
drop_monitor_partition.sql
Customers who are using the Oracle table partitioning option and have no reporting database should run the drop_monitor_partition.sql
script before setting up purging routine for monitor data.
exec_v_monitor_purge_proc.sq
l
The exec_v_monitor_purge_proc.sql
script calls the stored procedures to archive and purge data from device fingerprinting tables.
create_v_monitor_purge_proc.sql
The create_v_monitor_purge_proc.sql
script creates the V_MONITOR_DATA_PURGE
table and the stored procedure SP_V_MON_DATA_PURGE_PROC
to archive and purge data from the transaction table.
After successful authentication, OAAM obtains the user attributes from the user store and sends user attributes in a SAML assertion to Juniper. Juniper is set up to look for attributes to read from the SAML assertion to match the user in its repository. Then it logs the user in to the requested target page or web application.
In this bug, the user is unable to log in to Juniper via OAAM because Juniper fails to identify the user. OAAM did not fetch the correct cn
(common name) value and it did not set the uid
(User ID) attribute in the SAML response.
This section describes customer care and investigation issues. It includes the following topics:
Investigator Role Overrides CSR Role When Both Roles Are Given to a User
Case Search and Case Details Do Not Display Case Disposition
Wrong User Attributed for Last Notes Added If Two Users Concurrently Update Case Notes
Manually Created OAAM Agent Cases Cannot Be Searched by Username or User ID
OAAM Allows Case Ownership Change and Add Notes Actions to Closed Case
Create Agent Case Configurable Action Displays Wrong Name for Action
When a user is given both the Investigator and CSR Access roles, the former overrides the access permissions of the latter and the user has only Investigator access and no CSR access. Expected behavior is that a user having both Investigator and CSR access, should be able to perform Investigator and CSR tasks.
Users with low resolution monitors are not able to see details in full in the Case Details page. Details refer to those available based on a user's role. The Case Details page required scroll bars so that a users with low resolution monitors can see all details.
After an OAAM Agent case is closed with a disposition of Confirmed Fraud
, the agent can locate the case by searching by deposition but Confirmed Fraud
is not displayed in the Case search page even after adding Disposition as a column to display. When the Case Details page of the same case is opened, the field is empty for Disposition.
OAAM allows two agents to concurrently access a case, but if the two agents add notes to the case, OAAM saves both agents' notes; however, the second agent's notes are displayed as having been added by the first agent. Concurrent write access to cases is supported: if two agents are accessing the case at the same time, the second agent is made aware that the case is being worked on by another agent with a warning message. When the second agent continues, he is made the owner of the case. Notes are attributed to the correct agent.
When an OAAM Agent Case is autogenerated from the Configurable Action, the User Details panel is populated with user details for the session for which the case was created. When manually creating a case and linking to a session, user details are not populated. Subsequent searches of cases by Username
or User ID
only locate automatically created cases.
An enhancement has been made so that the Agent case creation page can optionally accept entry of a valid Username
and/or User ID
if the oaam.customercare.agent.case.allow.userinfo
property is set to true
. If a Username
and/or User ID
is entered it is mapped to the Agent case. Agent cases with a mapped Username
and/or User ID
are searchable by Username
and/or User ID
. These cases display the mapped user identifier in the Username and/or User ID column on the Cases search page. Only an Agent case that has been escalated from a CSR case displays the User Details section under the Case Details Summary tab.
After an Agent case is closed, case ownership can still change when accessed by another user. The case owner is changed to the user who accessed the case. OAAM also allows the adding and editing of notes after a case is closed. After an Agent case is closed, no changes should be allowed.
When a Configurable Action triggers the Create Agent Case
action, it is displayed as Add to IP Watch list
for both the Name and Description of the action when it is added to an Action group.
Challenge failure counters are not displayed on the CSR Case Details as in the details pages. Failure counters should be displayed for KBA and OTP as well as for new or custom challenge processors. Also, the Reset
action does not reset all the counters. An Unlock
action should reset all counters (KBA and OTP). The following should occur for counters when the Unlock
action is performed:
Unlocking KBA resets the KBA and OTP failure counters to 0
Unlocking OTP resets the KBA and OTP failure counters to 0
The following actions should occur for failure counters when the Reset
action is performed:
Resetting KBA resets KBA and OTP failure counters to 0. The user will be required to register challenge questions again
Resetting CSR KBA resets KBA and OTP failure counters to 0. The user will be required to register challenge questions again
Resetting OTP resets KBA and OTP failure counters to 0. The user will be required to register OTP again
The following enhancements have been made:
OAAM Admin Console Case detail and details pages display failure counter, registration, and other information for KBA, OTP, and other custom challenge mechanisms
OTP failure counters from different channels consolidate failures. For example, if multiple channels are used, the OTP status displays Locked
if the combined OTP counters are above the threshold. So, if the user fails SMS twice and Email once and threshold is 3, they are locked using the consolidated OTP counter
The Reset
action resets all challenge failure counters
The Unlock
action is consolidated into an Unlock User
action instead of separate actions for unlocking KBA and OTP. The Unlock User
action resets all failure counters
User name is displayed on the Case Details tab instead of or along with Case ID
The Threshold value for failure counter can be set in the rule condition, User: Challenge Channel Failure.
This section describes performance issues. It includes the following topic:
Scrolling up and down on the Session search page may pass an empty or null input list, which may result in retrieving millions of rows from the database, causing the error, java.lang.OutOfMemoryError:GC overhead limit exceeded
.
This section describes device fingerprinting issues. It includes the following topic:
When the .Net API is used to generate a browser fingerprint that uses a custom locale as part of the login flow, an error occurs: Culture ID 4096 (0x1000) is not a supported culture.\r\nParameter name: culture.
The issue occurs when the application is using a custom culture because locale is registered with the Microsoft .NET framework and when the OAAM .NET API classes try to construct the CultureInfo
from the LCID that came into the HttpSession
, an exception occurs because of the Microsoft .NET framework. The workaround is to change the oaam/src/dotNET/Bharosa/vCrypt/Common/Util/HttpUtil.cs
line 162
from CultureInfo ci = new CultureInfo(context.Session.LCID);
to CultureInfo ci = new CultureInfo(context.Current.Request.UserLanguages[0]);
This causes .NET to look up the locale by the name of the locale instead of by the LCID.
This section describes geolocation loader issues. It includes the following topics:
Upload of Geolocation Data Causes Unique Constraint Violation
IP Location Data Loader Fails If There is a Blank Line in the File
When reloading the same location data file, or loading an updated location data file, the data would be loaded correctly, but the log file would show numerous warnings about unique constraint violations which degrades performance.
The OAAM data loader fails to load IP location data if a blank line is in the data file and does not report the line number. The expected result is for the OAAM data loader to skip the blank line and display a warning message that include the line number.
You can work around this issue by opening the IP location data file, removing the blank line, and saving the file. This issue will be fixed in a future release.
This section describes multi-language support issues and limitations. It includes the following topics:
When the browser language is set to Italian, the user cannot open pages with calendars in the OAAM Administration Console, such as the Session or Cases page. A pop-up window with the following error message is displayed:
java.lang.IllegalArgumentException: Illegal pattern character 'g'
Searching sessions and cases by date range does not work in the OAAM Administration Console when the browser language is set to Brazilian Portuguese or Spanish. When the user opens the calendar in the Session or Cases page in the Spanish or Brazilian Portuguese locale, the year value is always shown as 1970
and cannot be modified to the correct year. As a result, the search does not work and the expected data cannot be returned in the search results.