36 Oracle Information Rights Management

This chapter describes issues associated with Oracle IRM Server and Oracle IRM Desktop, together known as 'Oracle IRM'. Unless otherwise stated, the version of Oracle IRM to which these release notes apply is (incorporating version 11.1.50 of Oracle IRM Desktop).

This chapter includes the following topics:

36.1 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

36.1.1 Data Truncation May Occur If One Large or Multiple Excel Files Are Open

A product defect has been identified in Oracle IRM when it is used with a single large size or multiple open Microsoft Excel files. This may affect the integrity of the Microsoft Excel files that are saved with Oracle IRM.

When you have Oracle IRM enabled with multiple Excel files open or a single large size sealed Excel file, the defect causes data truncation in the open Excel files. There is no error message or warning when the truncation happens.

This defect has been observed for file sizes greater than 10MB although the issue cannot be ruled out for smaller size files as well. The amount of data truncated is random but the rows affected are typically those at the bottom of the file. After the truncation occurs, the data is permanently lost data when the file is saved.

The workaraound is to use smaller sealed Excel workbooks, if possible. If not, confirm the correct row size with the document author, and confirm that value each time you open the sealed file.

There is no confirmation of a resolution as Oracle IRM is nearing the end of support and will be EOL soon.

36.1.2 Some Functionality is Disabled or Restricted in Adobe Reader X and Adobe Reader 9

To protect the security of sealed PDF documents, some Adobe Reader functionality is disabled or restricted, as described below.

Protected Mode in Adobe Reader X

Sealed PDF documents cannot be opened if Adobe Reader Protected Mode is active. If Protected Mode has not been disabled in advance, Oracle IRM will offer to disable Protected Mode when you attempt to open a sealed PDF document. You can choose not to accept, in which case Protected Mode will remain active and the sealed PDF document will not be opened.

Use of Toolbar and Other Controls in Adobe Reader X

When using a sealed PDF document in the traditional view, you cannot use the toolbar that is shown within Internet Explorer across the top of the document. Instead, you must switch to the Read-Mode view (using Ctrl+H) and use the buttons on the floating toolbar that appears in that view. You can use the buttons on the Read-Mode floating toolbar to save and print the sealed PDF document (if you have sufficient rights), and to page up and down, or to zoom in and out. You can also, subject to your rights, use the following keyboard shortcuts: Print (Ctrl+P), Save (Ctrl+Shift+S), and Copy (Ctrl+C).

Use of Toolbar and Other Controls in Adobe Reader 9

The following Adobe Reader 9 toolbar buttons do not function:

  • Email

  • Collaborate

  • Create Adobe PDF using Acrobat.com

If you click these buttons, you will see a message that the associated function is unavailable.

All other Adobe Reader 9 controls are available if you have sufficient rights. If you do not have sufficient rights, you will see a message when you attempt to use the control.

A further restriction applies to controls added to the Adobe Reader 9 interface by users when they have a sealed PDF document open: the added control will be inactive until Adobe Reader is closed and reopened.

36.1.3 Limitations of Support for Microsoft SharePoint in this Release

Read-only support for Windows 2000/XP

Sealed documents will always open read-only when opened from Microsoft SharePoint using Microsoft Office 2000 or Microsoft Office XP. From Microsoft Office 2003 onwards, full checkout, edit, and save capabilities are supported. The following is the behavior when using a Microsoft SharePoint web site to browse and open sealed files:

  • Microsoft Office 2000 "open" behavior. Clicking any file in Microsoft SharePoint will result in the option to open the file or save it locally. Sealed files will always open read-only unless saved locally.

  • Microsoft Office 2000 "edit" behavior. The Edit in Microsoft Word [PowerPoint/Excel] option is not supported for any file (sealed or unsealed).

  • Microsoft Office XP "open" behavior. In Microsoft SharePoint 2007, when clicking a sealed file, a download dialog will be presented offering the option to open the file or save it locally. Sealed files will always open read-only unless saved locally. In Microsoft SharePoint 2010, when clicking a sealed file, a download dialog will be presented offering only the option to save the file locally.

  • Microsoft Office XP "edit" behavior. In Microsoft SharePoint 2007 and 2010, when choosing Edit in Microsoft Word [PowerPoint/Excel] from the drop- down list for the file, nothing will happen for the following sealed file types: .sppt, .spot, .sxlt, .sdot. All other sealed file formats will open read-only. In Microsoft SharePoint 2010, the Edit Document option is missing for sealed files when using the Datasheet view.

No support for merging

Files opened from Microsoft SharePoint that are locked for editing by another user will not offer the chance to edit a local copy and merge changes later. Oracle IRM Desktop forces the document to open read-only. In Microsoft Office 2010, the Office bar and Backstage view offer an Edit button to switch to edit mode: this is prevented for sealed documents. If you wish to edit the file, you will need to open it for editing from the Web browser: if it is not locked for editing elsewhere, it will open editable.

Microsoft Word 2010 files opened from SharePoint 2010 are read-only

The following Microsoft Word 2010 sealed file types cannot be edited if they are opened from SharePoint 2010: .sdocx, .sdocm, .sdotx, .sdotm. Other sealed Microsoft Word formats (for example, .sdoc) will open as normal. The workaround is to save a copy of the file locally, edit that file, then upload it to SharePoint.

The Check Out button is sometimes missing when opening a sealed Excel file in Protected Mode

If the Microsoft SharePoint Web site is running under Protected Mode in Internet Explorer on Microsoft Vista or Microsoft Windows 7, the Check Out button is not shown. To work around this issue, check out the file first from the Web browser, or open the file directly via Windows Explorer, the Open dialog (available by choosing Open on the File menu), or the most-recently-used (MRU) list.

Using Microsoft Outlook to work with SharePoint offline

Microsoft Office 2007 onwards supports the ability to open a SharePoint folder in Outlook. The SharePoint files can then be worked on while offline, and Outlook will handle the synchronization of any changes. There are known issues with this capability when working with sealed files because Outlook opens them differently to native Microsoft Office files. You may get the message "Outlook cannot track the program used to open this document. Any changes you make to the document will not be saved to the original document" when opening sealed files from this view, and changes made to the sealed file will not automatically upload to the server. A manual send/receive is required.

In Microsoft Office 2010 the sealed files are opened in a mode which is similar to email attachments and require the following protected view settings:

  • Uncheck Enable Protected View for Outlook Attachments. This will allow opening of the server file from within the Outlook offline view.

  • Uncheck Enable Protected View for file originating from the Internet. This will allow opening of files when they are being edited offline.

Using Windows Explorer to open sealed files from SharePoint

Microsoft Office 2003 on Windows Vista may have problems opening sealed files from the Windows Explorer view of SharePoint. Microsoft Office may display a message similar to the following:

Could not open http://<sp_server>/DavWWWRoot/Docs/MyFolder/file.sdoc

A workaround for this is to access the folder using UNC. For example:


36.1.4 Lotus Notes Email Message May be Lost if Context Selection Dialog is Canceled

When using the base release of Lotus Notes version 8.5, if the context selection dialog is canceled when sending a sealed email, an error occurs and the message is lost. This does not occur in earlier versions of Lotus Notes. This issue is resolved in Lotus Notes version 8.5.2.

36.1.5 Save As is Blocked in Microsoft Office 2000/XP for Sealed Files if the Destination is a WebDAV Folder

The use of Save As is blocked in Microsoft Office 2000/XP for sealed files if the destination is a WebDAV folder (for example, in UCM). You'll need to save the sealed file to the local file system and upload it manually to the WebDAV folder. However, if you have the 11g UCM Desktop Integration Suite (DIS) installed, you can save sealed files as a new content item in UCM using the DIS menu in Microsoft Office.

The use of Save as Sealed, or of right-click Seal To (from Windows Explorer), will work when the destination is a WebDav folder.

36.1.6 No Prompt to Use Local Drafts Folder for Sealed Files in SharePoint 2010

When you check out unsealed files in SharePoint 2010, you are warned about the checkout and given the choice to use a local drafts folder. When you check out sealed files in SharePoint 2010, the file is checked out without giving the option to use a local drafts folder.

36.1.7 Incorrect Initial Display of Oracle IRM Fields in Microsoft Excel Spreadsheets When Used With SharePoint

This issue refers to Oracle IRM Fields set up using custom properties, as described in the Oracle IRM Desktop help, in the topic Adding Oracle IRM Fields in Microsoft Excel.

The problem occurs when using a combination of Microsoft Windows Vista, Microsoft Internet Explorer 7 or 8, Microsoft Office 2007, and Microsoft SharePoint 2007.

If you open a sealed Microsoft Excel spreadsheet that contains custom properties, when you go to edit the spreadsheet, the custom properties are initially shown with the placeholder #NAME? rather than with their correct values. The custom properties should update with their correct values when you start to edit the spreadsheet.

36.1.8 Behavior of Automatic Save and Automatic Recovery in Microsoft Office Applications and SharePoint

The behavior of automatic save and automatic recovery in Microsoft Office applications is as detailed below.


On automatic recovery, users are prompted to save the file to disk immediately in order to persist the recovered changes to a sealed file on disk. This is true for all versions and applications which support auto-recovery.


  • All supported versions: automatic save and recovery of sealed files should behave as normal, with the exception that automatic saving is blocked if the filename contains a dot that is not part of the extension (for example, my.filename.sdoc), or if the filename contains any double byte character.

  • In Word 2010, automatically saved files recovered from the Recovery pane will not automatically prompt for a Save As: users will need to perform the Save As manually.


  • PowerPoint XP, 2003: automatic save and recovery of sealed files should behave as normal.

  • PowerPoint 2007: the automatic saving of sealed files does not take place.

  • PowerPoint 2000: automatic save is disabled if sealed files are open, meaning that, if the system crashes, any unsaved changes to any file (sealed or original) will be lost.

  • PowerPoint 2010: Automatically saved files do not appear in the Recovery pane, but Microsoft Office 2010 creates auto-saved files that can be opened via the Backstage view, enabling changes to be recovered.


  • All supported versions: automatically saved Excel files (.xar) will be sealed, but the recovery of these files does not happen automatically. To recover "lost" changes, users need to locate the .xar file and rename it to .sxls.

  • Excel 2010: Automatically saved files do not appear in the Recovery pane, but Microsoft Office 2010 creates auto-saved files that can be opened via the Backstage view, enabling changes to be recovered.

Microsoft Office draft documents

  • Microsoft Office keeps unsaved copies of files for a short period. These are accessible from the Backstage view. Oracle IRM treats these files as auto-saved files, and opening them users will be prompted to perform a Save As operation. To use the restored file in place of the original file, users must copy the saved version over the original.

Because of these restrictions, it is recommended that you do not rely on automatic save and recovery. Instead, save your work frequently when using these applications.

36.1.9 Support for Microsoft Windows 2000 Has Been Removed

Oracle IRM no longer supports the Microsoft Windows 2000 operating system.

36.1.10 Unreadable Error Message Text When Client and Server Locales are Different

Error messages are sent to the client (Oracle IRM Desktop) in the language of the server (Oracle IRM Server). Therefore, if the locale of the server is different to the locale of the client, the error code may be rendered in garbage characters. The error code remains readable, and can be provided to support services as necessary.

36.1.11 Changes Lost if Tab Changed Before Applying the Apply Button

On the Oracle IRM Server Management Console, if you make changes on a tabbed page that has an Apply button, and then move to another tab without using the Apply button, the changes will be lost. You will not be prompted to save the changes that you made.

36.1.12 Some File Formats are Not Supported When Using the Microsoft Office 2007 Compatibility Pack with Microsoft Office 2003

The following Microsoft PowerPoint and Microsoft Excel formats are not supported for sealing when using the Office 2007 Compatibility Pack with Office 2003 and earlier: SPOTM, SPOTX, SPPTM, SPPTX, SXLSX, and SXLTX. For these applications, use other file formats that are supported for sealing.

36.1.13 Microsoft Word May Hang if a Sealed Email is Open During Manual Rights Check-In

In Oracle IRM Desktop, if you attempt to check in your rights while a sealed email is open in Microsoft Word, Microsoft Word may hang. It is recommended that you do not check in your rights while a sealed email is open.

36.1.14 Sealed Emails in Lotus Notes will Sometimes Show a Temporary File Name

In Lotus Notes, if a sealed email has a communication thread with multiple messages or replies, the title bar may show a temporary file name instead of the correct subject name. You may also be prompted to save changes when you have not made any. No harm should arise from these anomalies.

36.1.15 No Support for Sealing Files of 2GB or Larger in Size in Oracle IRM Desktop

Sealing files of size 2GB or larger is not supported in the current release of Oracle IRM Desktop.

36.1.16 Inappropriate Authentication Options After Failed Login on Legacy Servers When Setting Up Search

When setting up indexed search, if you enter incorrect authentication credentials for a legacy server (for example, a 10g Oracle IRM Server) that has been set up for Windows NT authentication, the login retry dialog will show options for Windows basic authentication. You should not use Windows Authentication credentials to log in to legacy servers set up for Windows NT Authentication.

36.1.17 Opening Legacy Sealed Documents in Microsoft Office 2007 May Fail on First Attempt

If users attempt to open a legacy Microsoft Office 2007 document (a document sealed with an older version of Oracle IRM), and Oracle IRM Desktop has not been synchronized with the server against which the document was sealed, the attempt will fail. The sealed document will not be opened, and the user will not be prompted to authenticate against the server to which the document was sealed. A second attempt to open the sealed document should succeed, because the initial attempt should have synchronized Oracle IRM Desktop with the server. Alternatively, the user can synchronize to the server manually (using the Oracle IRM Desktop Options dialog) before opening a legacy sealed document.

36.1.18 Log Out Link Inoperative When Using OAM 11g for SSO

When using OAM (Oracle Access Management) 11g for SSO, the Log Out link on the Oracle IRM Server Management Console does not log the user out.

36.1.19 Double-byte Languages Cannot be Used for Entering Data with Legacy Servers

This release of Oracle IRM Desktop is available in many more languages than previous releases, including some double-byte languages. However, for legacy (10g) servers, as previously, data (user names, etc.) must still be entered using the 7-bit ASCII range of characters.

36.1.20 Use of SPACE Key Instead of Return Key in Oracle IRM Server

In some dialogs in the Oracle IRM Server Management Console, the Return key does not execute buttons. When this occurs, use the SPACE key instead.

36.1.21 Calendar Controls in Oracle IRM Server Not Accessible Via the Keyboard

In the Oracle IRM Server Management Console, the calendar controls are not accessible via the keyboard, and do not appear if the console is in Screen Reader mode. To enter a date using the keyboard, the date should be typed in.

36.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

36.2.1 New JPS Configuration Properties for User and Group Searches

The following new JPS configuration properties are supported in PS5. These settings allow the attributes used in the Oracle IRM Server Management Console user and group searches to be defined.

Property: oracle.irm.default.search.user.attributes

Valid values (one or more values are allowed, separated with a comma):

  • NAME






Property: oracle.irm.default.search.group.attributes

Valid value:


Default value = "ROLE_NAME"

This complements the search filter attributes already supported in jps-config.xml.

Property: oracle.irm.default.search.filter

Valid values (one of the following):



  • ENDS


Default value = "CONTAINS"


An example JPS LDAP service instance entry:

<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider"> 
<property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/> 
<property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/> 
<property name="oracle.irm.default.search.filter" value="BEGINS"/> 
<property name="oracle.irm.default.search.user.attributes" value="USER_NAME,NAME,BUSINESS_EMAIL"/> 
<property name="oracle.irm.default.search.group.attributes" value="ROLE_NAME"/> 

36.2.2 Mandatory Patch Number 12369706 For Release of Oracle IRM Server, To Fix Role Edit Bug

The Oracle IRM Server Management Console has an issue that requires a patch to be applied to the installed or upgraded system. When selecting rights for a context, the Properties, Edit, and Remove buttons are always disabled and cannot be used. Selecting one or more rights will not enable the buttons.

Patch 12369706 fixes this issue. This patch can be downloaded from https://support.oracle.com

To install the patch:

  1. Log onto https://support.oracle.com

  2. Select Patches & Updates.

  3. Enter the patch number 12369706 in the patch search.

  4. Click Search.

  5. Follow the installation instructions provided with the patch.

36.2.3 Installing the 64-Bit Version of Oracle IRM Desktop

For this release, you can choose to install a 64-bit version of the Oracle IRM Desktop client tool. There are no specific instructions for this installation, but if you attempt to install the 64-bit version in a 32-bit environment, you will see messages that this is not possible.

36.2.4 Reboot Necessary to Obtain New Online Information Button

After an upgrade from a previous release of Oracle IRM Desktop, the new Online Information button on the IRM tab in the Properties dialog (obtained by right-clicking Properties on a file in Windows Explorer) is missing until the system is rebooted. This does not affect new installations. A workaround is to restart after upgrading from a previous release of Oracle IRM Desktop, even though the installer does not prompt that a reboot is necessary.

36.2.5 Deploying Oracle IRM Using Oracle Access Manager Version 10g

Deploying Oracle IRM version 11gR1 in an environment using Oracle Access Manager version 10g requires additional configuration to process logout requests properly. For detailed information, see the section "Configuring Global Logout for Oracle Access Manager 10g and 10g WebGates" in the Oracle Fusion Middleware Application Security Guide.

36.2.6 LDAP Reassociation Fails if User and Group Names are Identical

When reassociating an LDAP identity store, the Oracle IRM process for exporting user and group information has an issue if user and group names are identical. If a user and group have identical names, the export process will lose either the user or the group details during the export step. This is because the user or group name is used as the file name, so one file overwrites the other. A post-reassociation workaround is to check user and group right assignments, and to manually reassign any that are missing.

36.2.7 Upgrading Oracle IRM Desktop From Versions Earlier Than 5.5

You can upgrade to this release from Oracle IRM Desktop version 5.5 onwards, by running the installation wizard on the computer that has the older version.

For versions earlier than 5.5, or from any version of SealedMedia Unsealer or Desktop, you can upgrade to this release only by uninstalling the older version and installing this release.

If you are upgrading to this release of Oracle IRM Desktop from a 10g release, you will lose the locally stored rights to use sealed documents (the rights that enable you to continue working when you are offline). When this happens, you will have to obtain new rights by going online and synchronizing with the server. For this reason, do not begin an upgrade unless you have online access to the server.

When upgrading on Windows Vista or Windows 7, you may encounter a file lock and be prompted to retry, ignore, or cancel. You can safely use the ignore option if this happens.

36.2.8 Synchronizing Servers After an Upgrade of Oracle IRM Desktop

If you are upgrading to this release of Oracle IRM Desktop from a 10g release, you will not be synchronized to any servers (Oracle IRM Server). This will show as a blank list on the Servers tab of the Oracle IRM Desktop Options dialog. Servers are automatically added to the list when you open sealed documents for which you have access rights. The easiest way to repopulate your list of servers is to open documents that have been sealed against servers on which you have rights.

36.2.9 Reapplying Lost Settings After an Upgrade of Oracle IRM Desktop

If you are upgrading to this release of Oracle IRM Desktop from a 10g release, your previous settings (as shown on the Oracle IRM Desktop Options dialog) are not applied to the new installation. These include support for email systems, so you should reset these before attempting to work with sealed emails in Microsoft Outlook and Lotus Notes.

36.2.10 Changing Oracle IRM Account When Authenticated Using Username and Password

Oracle IRM Desktop caches user rights in an offline database. In earlier releases, this database was shared by all users of a machine. In this release, there is one offline database per Windows user.

You are strongly advised to use only one Oracle IRM account with each Windows account.

If you authenticate to the server (Oracle IRM Server) with a username and password, you can change the account you use as follows:

  1. On the Update Rights tab of the Oracle IRM Desktop Options dialog, check in rights for all servers by clicking Check in.

  2. On the Servers tab of the Oracle IRM Desktop Options dialog, select the server to be updated and click Clear Password.

  3. Quit from any Oracle IRM-enabled applications, such as Adobe Reader and Microsoft Office.

    If you think that Oracle IRM-enabled applications may still be running, restart Microsoft Windows.

  4. On the Update Rights tab of the Oracle IRM Desktop Options dialog, synchronize rights for all servers by clicking Synchronize.

Users who are automatically authenticated to the server using Windows authentication cannot change their Oracle IRM account.

Access to the offline database is protected by your Windows credentials. You are no longer required to additionally authenticate to Oracle IRM when working offline.

36.2.11 Post-Installation Steps Required for Oracle IRM Installation Against Oracle RAC

To use Oracle RAC with an Oracle IRM instance, the Oracle IRM data source needs to be altered using the WebLogic Administration Console and the following procedure:

  1. From Services, select JDBC, then select DataSources.

  2. Select the OracleIRM data source.

  3. On the Transaction tab, check Supports Global Transactions, then check Emulate Two-Phase Commit.

  4. Click Save.

This will set the global-transactions-protocol for Oracle IRM data-sources for Oracle RAC to EmulateTwoPhaseCommit.

36.2.12 Enabling the Oracle IRM Installation Help Page to Open in a Non-English Server Locale

Use the following procedure to enable the Oracle IRM installation help page to open in a non-English server locale:

  1. Unzip the shiphome.

  2. Extract all the non-HTM files (7 files in total) from help\en in the ecminstallhelp.jar file located in Disk1\stage\ext\jlib\

  3. Put these 7 files into the folder jar for the locale in which you will install ECM.

  4. Overwrite ecminstallhelp.jar with the modified version.

36.3 Documentation Errata

There are no known issues at this time.