18 Oracle Access Manager

This chapter describes issues associated with Oracle Access Manager 11g Release 1 (11.1.1). It includes the following topics:

18.1 Patch Requirements

This section describes patch requirements for Oracle Access Manager 11g Release 1 (11.1.1). It includes the following sections:

See Also:

18.1.1 Plain Text Credentials Exposed in Diagnostic Logs when Creating an Identity Store

To work around this issue:

  1. Go to My Oracle Support at

    http://support.oracle.com

  2. Click the Patches & Updates tab, and search for bug 9824531.Download the associated patch and install it by following the instructions in the README file included with the patch.

  3. On the Patches & Updates tab, search for bug 9882205. Download the associated patch and install it by following the instructions in the README file included with the patch.

18.2 General Issues and Workarounds

This section describes general issue and workarounds. It includes the following topic:

18.2.1 Resource Protected By Federation Shown Without Authentication

When accessing a page protected by the new Oracle Access Manager integrated Federation feature with the Internet Explorer browser, the browser's delete cookies option does not delete cookies and, therefore, authentication will not be requested. This is a browser specific issue.Workaround: Delete the browsing history using Tools-> Internet Options-> Browsing History (make sure Cookies is selected) and close all instances of Internet Explorer. When accessing the OAM protected page again; authentication will be requested.

18.2.2 Issues Registering the OSSO Plugin

The OSSO Plugin is for iPlanet and IIS when a customer does not wish to use OHS. It must be registered with OID/SSO 10.1.2.3 or 10.1.4.3 which have been discontinued as of 2011.

18.2.3 Modify Authentication Scheme When Upgrading OAM 11.1.1.5 to OAM 11.1.1.7

For any Oracle Access Manager customer that upgrades from OAM 11.1.1.5 to OAM 11.1.1.7 and uses a custom login page, remove the redirect=true entry from Challenge Parameters in the AnonymousScheme authentication scheme or the Login Page will not work. Details are in MOS Note 1548551.1.

18.2.4 RemoteRegistrationServerException Seen After PasteConfig IDM (T2P)

Even when pasteConfig goes through successfully, a RemoteRegistrationServerException is logged. If you can access the Oracle Access Manager console and see all the agents, this exception is benign and can be ignored.

18.2.5 System Error Page Displayed After Login

After successfully logging in to a page with a longer URL, an Oracle Access Manager system error page might be displayed; access to the same page would not have resulted in this in previous releases. Accessing the page with a longer URL a second time may clear this condition.

18.2.6 T2P Paste Config Operation Fails With Exception

When trying to complete the paste config portion of the Test to Production procedure, the following exception may occur:

javax.management.RuntimeMBeanException:
javax.management.RuntimeMBeanException: Configuration MBean not initialized.

There is currently no workaround for this issue.

18.2.7 Creating Policies For Webgate 11g

Oracle Identity Manager and Oracle Access Manager integrations support Webgate 11g. Follow this procedure to create policies for Webgate 11g.

  1. Modify the value for WEBGATE_TYPE in the idmConfigTool configOAM and idmConfigTool configOIM property files.

    • ohsWebgate11g (for Webgate 11)

    • ohsWebgate10g (for Webgate 10)

  2. Log in to the Oracle Access Manager console.

  3. Select the Policy Configuration tab.

  4. Expand Application Domains - IAM Suite

  5. Click Resources.

  6. Click Open.

  7. Click New resource.

  8. Provide values for the following:

    • Type: HTTP

    • Description: OAM Credential Collector

    • Host Identifier: IAMSuiteAgent

    • Resource URL: /oam

    • Protection Level: Unprotected

    • Authentication Policy: Public Policy

  9. Click Apply.

18.2.8 Sending Valid Cookie For Embedded BI Content

When embedded BI content and Oracle Access Manager are on different physical machines or accessed from different ports on the same machine, the BI proxy on the application's container needs to authenticate itself to the Oracle Access Manager server in order to access the protected BI content. To ensure that the valid OAMAuthnCookie is sent to the Webgate, filterOAMAuthnCookie=false should be set in the User Defined Parameters section of the Webgate's configuration profile. Restart the server after the modification for the new parameter value to take effect.

18.2.9 Incorrect SSO Agent Date/Time Shown to User

The default start date on the Create OAM Agent page is based on the Oracle Access Manager server date/time. The date/time shown to the end user is based on the Oracle Access Manager server time zone rather than on the user's machine.

18.2.10 Initial Messages After Webgate Registration Are Not Shown in the User's Locale

After Webgate registration, the description fields in the initial messages for related components are not shown in the user's locale.

The description field does not support Multilingual Support (MLS).

18.2.11 Single-Click to Open Child Node is Not Supported in the Navigation Tree

Single-click to open a child node in the navigation tree is not supported, but double-click is supported.

18.2.12 User Credential for Registration Tool Does Not Support Non-ASCII Characters on Native Server Locale

The user credential for the Oracle Access Manager registration tool oamreg.sh/oamreg.bat does not support non-ASCII characters on the Linux Non-UTF8 server locale and the Windows native server.

18.2.13 Turkish and Greek Character Issues on Oracle Access Manager Authentication Page

In some cases if a user has Turkish, German, or Greek special characters in the user name and the login name only differs in the special characters, he might pass authentication because of case mappings and case-insensitivity.

Some internationalization characters should have special capitalization rule so that characters do not convert back to the lower case.

For example, there is the case with SS and ß in German, where ß only exists as a lower case character. When performing "to Upper" against ß, ß will be changed to SS. And if the upper case text is then converted back to lower case, the SS becomes ss and not the original ß.

18.2.14 Oracle Access Manager Authentication Does Not Support Non-ASCII Passwords on Locales Other than UTF8

When the server locale is not UTF-8 and using WebLogic Server embedded LDAP as an identity store, the SSO Authentication page does not support Non-ASCII passwords.

18.2.15 Error Message of Create Agent Shows as Server Locale

When an administrator creates an agent with the same name as one that already exists, the language of the error message displayed is based on the server locale rather than on the browser locale.

18.2.16 Referrals in LDAP Searches

Oracle Access Manager 11g Release 1 (11.1.1) cannot operate directly with LDAP servers returning referrals.

The workaround is to use Oracle Virtual Directory.

18.2.17 Non-ASCII Resources Require OHS To Restart To Make Protection Take Effect

When you add a resource with a non-ASCII name to the protected authentication policy, it will require the 11g OHS Server to restart to make the protection take effect, whereas in adding resources with English characters, protection takes effect in real time without having to restarting the OHS Server.

18.2.18 Non-ASCII Characters on Success/Failure URL Results in Garbled Redirect URL

If an on success or on failure URL configured for an authentication policy contains non-ASCII characters in the URL specified, then the URL specified will be garbled when it is used during a user authentication. This will happen only when the authentication scheme is Basic Authentication and the end user's browser is the Simplified Chinese version of IE8 running on the Chinese version of Windows.

18.2.19 Resource with Non-ASCII Characters Cannot Be Protected by an OSSO Agent

The OSSO Agent cannot protect a resource because it does not encode the entire resource URL to UTF-8 format.

To work around this issue, use the Webgate Agent instead of the SSO Agent.

Webgate is able to convert the entire resource URL to UTF-8 format.

18.2.20 Error in Administration Server Log from Console Logins

If you log in to the Oracle Access Manager Console as an administrator and then log in to the Console as an administrator in a new browser tab, the following error appears in the administration logs:

 ------------------------------------------------------------
 <May 20, 2010 10:12:47 AM PDT> <Error>
 <oracle.adfinternal.view.page.editor.utils.ReflectionUtility> <WCS-16178>
 <Error instantiating class -
 oracle.adfdtinternal.view.faces.portlet.PortletDefinitionDTFactory>
 ------------------------------------------------------------

The error message does not impact functionality.

18.2.21 Application Domain Subtree in the Navigation Tree Is Not Rendered and Does Not Respond to User Actions

If the Application Domain subtree on the navigation tree does not render or respond to user interface actions over a period of time, it may be the result of multiple refreshes.

To work around these issues, restart the administration server and log in to the Oracle Access Manager Console again.

18.2.22 editWebgateAgent Command Does Not Give An Error If Invalid Value is Entered

The WLST command editWebgateAgent does not give an error when a invalid value is entered for the state field in both online and offline mode. The Oracle Access Manager Console does show the state field value as neither enabled nor disabled, though it is a mandatory field.

18.2.23 WLST Command displayWebgate11gAgent In Offline Mode Displays the Webgate Agent Entry Twice

In the offline mode, the WLST command, displayWebgate11gAgent, displays the 11g Webgate Agent entry in the System Configuration tab twice.

18.2.24 Message Logged at Error Level Instead of at INFO When Servers in Cluster Start

When starting Oracle Access Manager servers in a cluster, the following message is displayed:

<Jun 22, 2010 3:59:41 AM PDT> <Error> <oracle.jps.authorization.provider.pd> 
<JPS-10774> <arme can not find state.chk file.>

The correct level of the message is INFO, rather than Error.

18.2.25 Help Is Not Available for WLST Command registeroifdappartner

The Help command is not available for the WLST command, registeroifdappartner.

The online and offline command registers Oracle Identity Federation as a Delegated Authentication Protocol (DAP) Partner.

For information, refer to "registerOIFDAPPartner" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

Syntax

registerOIFDAPPartner(keystoreLocation="/scratch/keystore"  
logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=
http://<oamhost>:< oam port>/ngam/server/pages/logout.jsp", 
rolloverTime="526") 
Parameter Name Definition

keystoreLocation

Location of the Keystore file. The file generated at the OIF Server. (mandatory)

logoutURL

The OIF Server's logout URL. <mandatory>

rolloverInterval

The Rollover Interval for the keys used to enc/decrypt SASSO Tokens (optional)


Example

The following invocation illustrates use of all parameters.
 
registerOIFDAPPartner(keystoreLocation="/scratch/keystore", 
logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=http://<oamhost>: 
<oam port>/ngam/server/pages/logout.jsp", rolloverTime="526")

18.2.26 User Must Click Continue to Advance in Authentication Flow

In a native integration with Oracle Adaptive Access Manager, the resource is protected by an Oracle Access Manager policy that uses the Basic Oracle Adaptive Access Manager authentication scheme.

When a user tries to access a resource, he is presented with the username page.

After he enters his username, he must click Continue before he can proceed to the password page. He is not taken to this page automatically.

The workaround is for the user to click Continue, which might allow him to proceed to the password page.

18.2.27 OCSP-Related Fields are Not Mandatory

In the X509 authentication modules, the following OCSP-related fields are no longer mandatory:

  • OCSP Server Alias

  • OCSP Responder URL

  • OCSP Responder Timeout

If OCSP is enabled

The OCSP-related fields should be filled in by the administrator. If they are not filled, there will not be an error from the Console side.

It is the responsibility of the administrator to provide these values.

If OCSP is not enabled

The OCSP-related fields need not be filled in this case. If there are values for these fields, they will be of no consequence/significance, as OCSP itself is not enabled.

In the default out of the box configuration, the OCSP responder URL is http://ocspresponderhost:port. If you make changes to other fields and leave this as is, you will see a validation error, since this value is still submitted to the back end and at the Console, the layer port should be a numeric field. You can either modify the field, with the port being a numeric field or delete the entire value.

18.2.28 Database Node is Absent in the Console

Under the Data Sources node of the System Configuration tab, Common Configuration section, there is no Databases node in Oracle Access Manager 11g (11.1.1.5).

18.2.29 Online Help Provided Might Not Be Up To Date

Online help is available in the Oracle Access Manager Console, but you should check OTN to ensure you have the latest information.

18.2.30 Oracle Access Manager Audit Report AUTHENTICATIONFROMIPBYUSER Throws a FROM Keyword Not Found Where Expected Error

The Oracle Access Manager audit report AuthenticationFromIPByUser uses an Oracle Database 11.2.0 feature and will not work with older versions of database. The following error is displayed if an older version is used:

ORA-00923: FROM keyword not found where expected

18.2.31 Disabled: Custom Resource Types Cannot be Created

For Oracle Access Manager 11g, creating custom resource types should not be attempted. In the initial release, the buttons to create/edit/delete resource types were available.

With Oracle Access Manager 11g (11.1.1.7) these command buttons are disabled. Oracle provided resource types include:

  • HTTP (includes HTTPS)

  • TokenServiceRP (Resources for representing Token Service Relying Party)

  • wl_authen (Resources for representing WebLogic Authentication schemes)

18.2.32 Use of a Non-ASCII Name for a Webgate Might Impact SSO Redirection Flows

When using the OAM Server with WebGates and when the Webgate ID is registered with a non-ASCII name, the OAM Server may reject that authentication redirect as an invalid request.

To work around this redirection issue, use an ASCII name for the Webgate.

Note:

Resources are protected and error messages do not occur when the administration server and oracle access servers are started on UTF-8 locales.

The redirection issue only occurs on native server locales (Windows and Non-UTF8 Linux server locales)

18.2.33 Authentication Module Lists Non-Primary Identity Stores

In the user interface under the Authentication Module, only the primary identity store should be selected in the list since only primary identity stores can be used for authentication/authorization. Currently, the Oracle Access Manager Console allows you to select identity stores that are not primary.

18.2.34 Unable to Stop and Start OAM Server Through Identity and Access Node in Fusion Middleware Control

The following Oracle Access Manager operations are not supported through using the oam_server node under Identity and Access in Fusion Middleware Control:

  • Start up

  • Shut down

  • View Log Messages

However, these operations are supported per the Oracle Access Manager managed server instance through using the oam_server node (for the specific server) under Application Deployments in Fusion Middleware Control.

18.2.35 AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation

WebLogic Server installation on Windows 64-bit platform can be successful with 32-bit JAVA_HOME (jdk1.6.0_23). On Windows 64-bit platform, the path to 32-bit JAVA_HOME (c:\program files (x86)\java\jdkxxx) is not correctly handled by the startWeblogic.cmd.

  • If you launch the install shield with setup.exe, you are asked for the path of the 64-bit JAVA_HOME. If you provide the 32-bit JAVA_HOME (jdk1.6.0_24) path, the install shield is not launched.

  • If you execute config.cmd from \Middleware\Oracle_IDM1\common\bin, the path to the 32-bit JAVA_HOME (jdk1.6.0_24) is used. Following successful installation, however, you cannot start AdminServer.

Workaround: Oracle recommends replacing SUN_JAVA_HOME to use the path with the shorter name (c:\progra~2\java\jdkxxxx).

  • On Windows, the shorter names can be seen by executing "dir /X".

  • Alternatively, you can set Windows command shell variable JAVA_HOME to path with shorter name and execute startWeblogic.cmd within that. For example:

    >set JAVA_HOME=c:\progra~2\java\jdkXXX

    >startweblogic.cmd

18.2.36 Changing UserIdentityStore1 Type Can Lock Out Administrators

An Identity Store that is designated as the System Store should not be edited to change the store type (from Embedded LDAP to OID, for instance) nor the connection URLs.

If you do need to change the Identity Store that is designated as the System Store should not be edited to change the store type, Oracle recommends that you create a new Identity Store and then edit that registration to mark it as your System Store.

18.2.37 Page Layouts and Locales

The layout of the single sign-on (SSO) Login Page, Impersonation Consent page, Logout Page, Impersonation Error page, and Login Error Page do not change for Arabic and Hebrew locales.

18.2.38 Some Pages Are Not Correctly Localized

The date formats of "Creation Instant" and "Last Access Time" on the Session Management Search page are not correctly localized.

18.2.39 Non-ASCII Query String Issues with Internet Explorer v 7, 8, 9

Due to a limitation with the Internet Explorer browser, resources with Non-ASCII query string when if you directly type or paste the resource URL.

18.2.40 Oracle Virtual Directory with SSL Enabled

With Oracle Virtual Directory as the user identity store, no errors are seen after changing its registration to use the SSL port, checking the SSL box, and testing the connection (Test Connection button). However, authentication fails (even though non-SSL port is fine). The first time Test Connection goes through and any subsequent time it results in Socket Timeout exception from the Oracle Virtual Directory side.

Workaround: Disable NIO for the SSL port as follows:

  1. Stop Oracle Virtual Directory. For example:

    $ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1
    
  2. Edit the a LDAP SSL listener section of listener.os_xml to add <useNIO>false</useNIO>, as follows:

    $ORACLE_INSTANCE/config/OVD/ovd1/listener.os_xml 
    
    <ldap version="20" id="LDAP SSL Endpoint"> 
    <port>7501</port>
    <host>0.0.0.0</host>
    ......... 
    ......... 
    <tcpNoDelay>true</tcpNoDelay>
    <readTimeout>180000</readTimeout>
    </socketOptions>
    <useNIO>false</useNIO>
    </ldap> 
    
  3. Save the file.

  4. Test the connection several times to confirm this is working.

18.2.41 Query String Not Properly Encoded

There is no encoding on the query string from Webgate when % is not followed by a sequence of characters that form a valid URL escape sequence. In this case, Oracle Access Manager etains % as % in the decoded string and the following error occurs:

No message for The Access Server has returned a status that is unknown to the
Access Gate .Contact your website administrator to remedy this problem.

Workaround:

11g Webgate: To specify the '%' character in a query string, you must specify '%25' instead of '%'.

10g Webgate: The 11g Webgate workaround applies to only the anonymous scheme. For other authentication schemes, there is currently no workaround.

18.3 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

18.3.1 For mod-osso Value for RedirectMethod Should be "POST"

For Webgate to support long URLs, the following code sample was added under oam-config.xml:

<Setting Name="AgentConfig" Type="htf:map">
   <Setting Name="OSSO" Type="htf:map">
        <Setting Name="RedirectMethod"Type="xsd:string">GET</Setting>
        <Setting Name="Delimiter" Type="xsd:string">AND</Setting>
   </Setting> 

For mod-osso, the value for RedirectMethod should be POST, however, the values shipped out of the box is GET. Follow these steps to perform the modification, as this change needs to be performed manually and there is no user interface or WLST commands available to do so.

  1. Stop the Oracle Access Manager Console and managed servers.

  2. Enter cd DOMAIN_HOME/config/fmwconfig

  3. Enter vi oam-config.xml

  4. Go to the following line in oam-config.xml:

    <Setting Name="AgentConfig" Type="htf:map">
       <Setting Name="OSSO" Type="htf:map">
            <Setting Name="RedirectMethod"Type="xsd:string">GET</Setting> 
    

    Modify GET to POST as follows:

    <Setting Name="RedirectMethod"Type="xsd:string">POST</Setting> 
    
  5. Save the changes and start the AdminServer and managed servers.

18.3.2 User Wrongly Directed to the Self-User Login after Logging Out of the Oracle Identity Manager Administration Console

The user is directed to the self-user login after logging out of the Oracle Identity Manager Administration Console.

To be redirected correctly, the logout must work properly.

The workaround for logout with 10g Webgate is to:

  1. Copy logout.html (for example, from Oracle_IDM1/oam/server/oamsso/logout.html) to webgate_install_dir/oamsso.

  2. Update logout URL in the file to http://oam_server:oam_server/ngam/server/logout.

  3. If redirection to specific page has to occur after logout, change the logout URL to http://oam_server:oam_server/ngam/server/logout?doneURL=http://host:port/specifipage.html.

18.3.3 11g Webgate Fails to Install with Compact Configuration

A compact configuration is an installation with all identity management components on a machine with limited hardware capacity.

On trying to install the 11g Webgate with compact configuration, the following error occurs during the configure step:

Configuring WebGate... 
There is an error. Please try again. 
Preparing to connect to Access Server. Please wait. 
Client authentication failed, please verify your WebGate ID. 
cp: cannot stat 
`$ORACLE_HOME/ohs/conf/aaa_key.pem': 
No such file or directory 
cp: cannot stat 
`$ORACLE_HOME/ohs/conf/aaa_cert.pem': 
No such file or directory 
cp: cannot stat 
`$ORACLE_HOME/ohs/conf/aaa_chain.pem':

The error occurs because the following entries were not initialized in oam-config.xml during the installation:

<Setting Name="oamproxy" Type="htf:map">
<Setting Name="sslGlobalPassphrase" Type="xsd:string">changeit</Setting>
<Setting Name="SharedSecret" Type="xsd:string">1234567812345678</Setting>
</Setting>

To initialize oam-config.xml properly:

  1. Delete the OAM entry from CSF repository by performing the following steps:

    1. Start the WebLogic Scripting Tool:

      oracle_common/oracle_common/common/bin/wlst.sh

    2. In the WLST shell, enter the command to connect to the domain and then enter the requested information.

      A sample is given below.

      wls:/offline> connect () 
      Please enter your username [weblogic] : 
      Please enter your password [welcome1] : 
      Please enter your server URL [t3://localhost:7001] : 
      Connecting to t3://localhost:7001 with userid weblogic ... 
      Successfully connected to Admin Server 'AdminServer' that belongs to domain 'imdomain86'. 
      
    3. Change to domainRuntime.

      A sample is given below.

      wls:/imdomain86/serverConfig> domainRuntime () 
      Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. 
      
    4. Check whether an entry exists in the CSF repository with the map name as OAM and key as jks.

      A sample is given below.

      wls:/imdomain86/domainRuntime> listCred(map="OAM_STORE",key="jks") {map=OAM_STORE, key=jks} 
      Already in Domain Runtime Tree 
      . 
      [Name : jks, Description : null, expiry Date : null] 
      PASSWORD:1qaldrk3eoulhlcmfcqasufgj2 
      . 
      
    5. Delete the OAM map entry from the CSF repository.

      wls:/imdomain86/domainRuntime> deleteCred(map="OAM_STORE",key="jks") 
      {map=OAM_STORE, key=jks} 
      Already in Domain Runtime Tree 
      . 
      
    6. Exit from wlst shell.

      A sample is given below.

      wls:/imdomain86/domainRuntime> exit () 
      . 
      . 
      . 
      
  2. Go to DOMAIN_HOME/config/fmwconfig and delete the file .oamkeystore.

    A sample [on linux] is given below.

    [aime@pdrac09-5 fmwconfig]$ rm .oamkeystore 
    . 
    
  3. Stop the Managed Server and Admin Server.

  4. Start the AdminServer.

  5. Verify oam-config.xml.

  6. Start Managed Server.

Steps to verify oam-config.xml:

  1. Go to DOMAIN_HOME/config/fmwconfig/oam-config.xml.

  2. Verify that all the WebLogic Server server instances are configured under DeployedComponent > Server > NGAMServer > Instance

  3. Verify that the OAM Managed Server protocol, host and port are available at:

    DeployedComponent > Server > NGAMServer > Profile > OAMServerProfile > OAMSERVER

  4. Verify that the SSO CipherKey is generated and available at:

    DeployedComponent > Server > NGAMServer > Profile > ssoengine > CipherKey

  5. Verify that the oamproxy entries for SharedSecret and sslGlobalPassphrase is generated and available at:

    DeployedComponent > Server > NGAMServer > Profile > oamproxy

    SharedSecret should have a value different from 1234567812345678 and sslGlobalPassphrase different from changeit.

18.3.4 Auditing Does Not Capture the Information Related to Authentication Failures if a Resource is Protected Using Basic Authentication Scheme

Although a resource can be protected using the BASIC scheme, the WebLogic server has a feature by which it first authenticates the user and then sends it to the server.

If you add the following flag under <security-configuration> in config.xml and restart the server, you will be able to bypass WebLogic server's authentication <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>. Once the credentials are submitted back to the OAM Server, it will be audited.

The WebLogic Server Administration Console does not display or log the enforce-valid-basic-auth-credentials setting. However, you can use WLST to check the value in a running server. You must modify this value by setting this in config.xml.

To do so, refer to "Developing Secure Web Applications" at:

https://download.oracle.com/docs/cd/E13222_01/wls/docs103/security/thin_client.html#wp1037337

18.3.5 Incompatible Msvcirt.dll Files

When you install the Oracle Access Manager 10g Webgate, do not replace the current version of msvcirt.dll with a newer version when prompted. If you do so, there may be incompatibility issues. Later, when you try to install OSSO 10g (10.1.4.3), the opmn.exe command might fail to start and the OracleCSService might time out because the required .dll file is missing.

18.3.6 IPv6 Support

The supported topology for Oracle Access Manager 11g is shown below.

Supported Topology

  • WebGate10g or Webgate 11g and protected applications on IPv4 (Internet Protocol Version 4) protocol host

  • OHS (Oracle HTTP Server) reverse proxy on dual-stack host

  • Client on IPv6 (Internet Protocol Version 6) protocol host

Dual-stack is the presence of two Internet Protocol software implementations in an operating system, one for IPv4 and another for IPv6.

The IPv6 client can access Webgate (10g or 11g) through the reverse proxy on IPv4/IPv6 dual-stack.

18.3.7 What to Avoid or Note in Oracle Access Manager Configuration

This section contains scenarios and items to note in Oracle Access Manager Configuration

18.3.7.1 Unsupported Operations for WLST Scripts

WLST scripts for Oracle Access Manager 10g and Oracle Access Manager 11g WebGates do not support changing Agent security modes.

18.3.7.2 Unsupported Operations for Oracle Access Manager Console and WLST

Unsupported operations for the Oracle Access Manager Console and WLST are described in the following subsections.

18.3.7.2.1

OAM Server

Use Case: Concurrent Deletion and Updating

Description

  1. Open an OAM Server instance in edit mode in Browser 1.

  2. Using the Oracle Access Manager Console in another browser (Browser 2) or using a WLST script, delete this server instance.

  3. Return to Browser 1 where the server instance is opened in edit mode.

  4. In Browser 1, click the Apply button.

Current Behavior

The Oracle Access Manager Console displays the message, "Server instance server_name might be in use, are you sure you want to edit it?" along with the confirmation that the update succeeded.

On clicking Yes, the following error message pops up, as expected, and the OAM Server instance page is closed (correct behavior):

"Error while reading your_server-name OAM Server Instance Configuration."

However, the navigation tree node might continue to display the OAM Server instance until you click the Refresh command button for the navigation tree.

Use Case: Two OAM Server Instances with Same Host Cannot have the Same Proxy Port.

Description

For this use case, there are two instances of the OAM Server: oam_server1 and oam_server2.

  1. Open oam_server1 in edit mode and specify a host and OAM proxy port.

  2. Now open oam_server2 in edit mode and specify the same host and proxy port as oam_server1.

The changes are saved without any error message.

Current Behavior

The Oracle Access Manager Console does not display any error and allows the update.

The behavior is incorrect.

Use Case: Log Statements Detailing the Server Instance Creation, Update and Delete are not Present on the Oracle Access Manager Console

Description

If you create, edit, or delete an OAM Server instance from the Oracle Access Manager Console, the log statements corresponding to create, edit and delete are not displayed by the Console.

18.3.7.2.2

LDAP Authentication Module:

Use Case: Concurrent Deletion/Creation of User Identity Store does not Reflect in the List of Identity Stores in the LDAP Authentication Module Create and Edit

Description

  1. Open create/ edit for the LDAP authentication module.

    A list displays the identity stores present in the system.

  2. Now create a user identity store using another tab.

  3. Return to the create/edit tab for the LDAP authentication module and check the list for user identity stores.

Current Behavior

The Oracle Access Manager Console displays the error message, as expected, and closes the Authentication Module page (correct behavior):

"Error while reading module-name Authentication Module Configuration."

However, the navigation tree node might continue to display the Authentication Module node until you click the Refresh command button for the navigation tree.

18.3.7.2.3

LDAP, Kerberos and X509 Authentication Module

Use Case: Concurrent deletion and updating

Description

  1. Open an LDAP/Kerberos/X509 authentication module in edit mode in Oracle Access Manager Console in Browser 1.

  2. Using Oracle Access Manager Console in another browser (Browser 2) or using a WLST script, delete this authentication module.

  3. Now return to Browser 1 where the authentication module is opened in edit mode.

  4. Click the Apply button.

Current Behavior

The Oracle Access Manager Console updates this authentication module configuration and writes it to back end.

The behavior is incorrect.

Use Case: Log Statements Detailing the Server Instance Creation, Update and Delete are Not present on Oracle Access Manager Console side.

Description

When you create, edit or delete an authentication module from Oracle Access Manager Console, the log statements corresponding to create, edit and delete are not written by the Console.

18.3.7.2.4

OAM 11G Webgate

Use Case: Concurrent Deletion and Update

Description

  1. Open an OAM 11g Webgate instance in edit mode in Oracle Access Manager Console in Browser 1.

  2. Using the Oracle Access Manager Console in another browser (Browser 2) or using a WLST script, delete this OAM 11g Webgate.

  3. Now return to the Browser1 where the server instance is opened in edit mode.

  4. Click on the Apply button.

Current Behavior

The Oracle Access Manager Console for edit OAM11g Webgate does not change and the tab does not close.

A OAM11g Webgate configuration not found error dialog is displayed by the Oracle Access Manager Console.

However, the navigation tree is blank and attempts to perform any operation results in a javax.faces.model.NoRowAvailableException".

The behavior is incorrect.

18.3.7.2.5

OSSO Agent

Use Case: Concurrent Deletion and Update

Description

  1. Open an OSSO Agent instance in edit mode in the Oracle Access Manager Console in Browser 1.

  2. Using the Oracle Access Manager Console in another browser (Browser 2) or using a WLST script, delete this OSSO Agent.

  3. Now return to the Browser 1 where the OSSO Agent instance is opened in edit mode.

  4. Click on Apply button.

Current Behavior

Editing the OSSO Agent in the Oracle Access Manager Console results in a null pointer exception.

The behavior is incorrect.

18.3.8 Install Guides Do Not Include Centralized Logout Configuration Steps

Single-Sign On is enabled after Oracle Access Manager is installed; to complete configuration of Single-Sign On out of the box, centralized log out must be configured post-install. Configure centralized log out by following direction from these sections:

18.3.9 NULL Pointer Exception Shown in Administration Server Console During Upgrade

A NULL pointer exception occurs because of the configuration events trigger when the identity store shuts down. The upgrade is successful, however, and error messages are seen in administration server console. There is no loss of service.

If the NULL pointer is seen during upgrade, there is no loss of service, you can ignore the error.

If the NULL pointer is seen during WLST command execution, you must restart the administration server.

18.3.10 Using Access SDK Version 10.1.4.3.0 with Oracle Access Manager 11g Servers

In general, the Sun Microsystems JDK 1.4.x compiler is the JDK version used with the Java interfaces of Access SDK Version 10.1.4.3.0.

As an exception, the Java interfaces of the 64-bit Access SDK Version 10.1.4.3.0, specifically for the Linux operating system platform, requires the use of Sun Microsystems JDK 1.5.x compiler.

The new Session Management Engine capability within Oracle Access Manager 11g will create a session for every Access SDK version 10.1.4.3.0 call for authentication.

This may cause issues for customers that use Access SDK to programmatically authenticate an automated process. The issue is the number of sessions in the system that is generated within Access SDK will increase dramatically and cause high memory consumption.

18.3.11 Finding and Deleting Sessions Using the Console

When session search criteria is generic (using just a wild card (*), for example), there is a limitation on deleting a session from a large list of sessions.

Oracle recommends that your session search criteria is fine-grained enough to obtain a relatively small set of results (ideally 20 or less).

18.3.12 Non-ASCII Users with Resource Protected by Kerberos Authentication Scheme

Non-ASCII users fail to access a resource protected by a Kerberos authentication scheme using WNA as a challenge method.

The exception occurs when trying to get user details to populate the subject with the user DN and GUID attributes.

18.4 Oracle Security Token Service Issues and Workarounds

This section provides the following topics:

18.4.1 No Warnings Given If Required Details are Omitted

On the Token Mapping page of a new Validation Template with the following characteristics:

  • WS-Security

  • Token Type SAML 1.1

  • Default Partner Profile: requester profile

No warnings are given:

  • If you check the box to Enable Attribute Based User Mapping if you leave empty the required User Attributes field

    A new row is not saved if the User Attribute field is empty. However, it is saved if both fields are filled. Removing the value of the User Attribute field in a user-added row causes the row to be deleted when you Apply changes

  • If you attempt to delete built-in Name Identifier Mapping rows

    Built-in Name Identifier Mapping rows cannot be deleted.

18.4.2 New Requester Pages, Internet Explorer v7, and Japanese Locale

When using the Japanese Locale with Internet Explorer v7, the title "New Requester" is not displayed in one line on the page. The Partner, Name, Partner Type, and Partner Profile fields might wrap on the page.

This can occur whether you are creating or modifying the Partner (Requester, Relying Party, and Issuing Authority).

18.4.3 Delete Button Not Disabled When Tables Have No Rows

The Delete button is enabled even though there are no rows to be deleted in the following tables:

  • The Attribute Name Mapping table (Token and Attributes page for Partner Profiles (Requester, Relying Party, Issuing Authority Profiles).

  • The Value Mapping table in Issuing Authority Partner Profiles

When there are no rows in a table, the Delete button should be disabled by default.

18.4.4 Copying an Issuance Template Does Not Copy All Child Elements

Issuance Template Copy Like function does not copy nested tables (attribute mapping and filtering tables, and the custom token attribute table).

Workaround: Navigate to the desired Issuance Template, click the name in the navigation tree and click the Copy Like button. Manually enter missing information from the original: Attribute Mappings or custom attribute tables.

18.4.5 Apply and Revert Buttons are Enabled

The Apply and Revert buttons are enabled on Oracle Security Token Service pages even if there are no changes to apply or saved changes to revert to the previous version.

18.4.6 Only Generic Fault Errors Written to Oracle WSM Agent Logs

No content is written logs for the Oracle WSM agent errors. There is only a generic fault error.

Workaround: Enable message logging for the Oracle WSM agent on the host OAM Server.

  1. Locate the logging.xml file in $DOMAIN/config/fmwconfig/server/oam_server1/logging.xml file.

  2. Change the WSM block of the logging.xml file, to:

    <logger name="oracle.wsm" level="TRACE:32" useParentHandlers="false">
    <handler name="odl-handler"/>
    </logger> 
    
    <logger name="oracle.wsm.msg.logging" level="TRACE:32"
    useParentHandlers="false">
    <handler name="owsm-message-handler"/>
    <handler name="wls-domain"/>
    </logger>
    
  3. OSTS Policies: When Oracle Security Token Service policies are used (instead of Oracle-provided WSM policies) perform the following steps:

    1. Locate: Oracle_IDM1/oam/server/policy

    2. Unjar sts-policies.jar.

    3. Change all the polices to set Enforced to true: META-INF/polices/sts.

    <oralgp:Logging orawsp:name="Log Message1" orawsp:Silent="true
    orawsp:Enforced="true" orawsp:category="security/logging"> 
    <oralgp:msg-log> 
    <oralgp:request>all</oralgp:request> 
    <oralgp:response>all</oralgp:response> 
    <oralgp:fault>all</oralgp:fault> 
    </oralgp:msg-log> 
    </oralgp:Logging> 
    
  4. Re-jar the updated sts-policies.jar.

  5. Restart the AdminServer and managed servers.

18.4.7 Server and Client Key Tab Files Must be the Same Version

An exception to authenticate the Kerberos token occurs if WebLogic 10.3.5 is configured with Sun JDK6 greater than u18.

When using the Kerberos token as an authentication token requesting the security token from Oracle Security Token Service:

  • The keytab file configured in the validation template should always be the latest version from the KDC server

  • The KVNO should always be the latest that is available on the server:

18.4.8 Default Partner Profile Required for WS-Security

The Oracle Access Manager Access Administration Guide states "When you toggle the Token Protocol from WS-Trust to WS-Security, options in the Token Type list do not change. However, the required "Default Partner Profile" list appears from which you must choose one profile for WS-Security."

Correction: When you toggle the Token Protocol from WS-Trust to WS-Security a required field "Default Partner Profile" will appear. You must choose a value for this field. If you again toggle back to WS-Trust without choosing a value for this field The options in the Token Type list are not updated correctly to have the WS-Trust Token Type values.

18.4.9 SAML Token Issued When NameID is Not Found

Rather than returning an error response, an assertion issued with an empty NameIdentifier field can be issued even when the NameIdentifier user attribute has a null or empty value. For example:

<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>

Workaround: The "Name Identifier User Attribute" Field in the Issuance Template requires a value for the Userstore.

18.5 Integration and Inter-operability Issues and Workarounds

This section provides the following topics:

18.5.1 WNA Authentication Does Not Function on Windows 2008

The default Kerberos encryption supported by Windows 2008 Server and Windows 2007 machines are "AES256-CTS-HMAC-SHA1-96", "AES128-CTS-HMAC-SHA1-96" and "RC4-HMAC".

If the clients are configured to use DES only encryption, users will not be able to access protected resources with Kerberos authentication. The error message, An incorrect username and password was specified might be displayed.

Because the initial Kerberos tokens are not present, the browser sends NTLM tokens, which the OAM Server does not recognize; therefore, the user authentication fails.

The workaround is to enable the encryption mechanisms, and follow the procedure mentioned in:

http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx

18.5.2 JVM Plug-in Ignores Cookies Marked 'httponly'

Cookies set with the httponly flag are not available to Browser Side Scripts and Java Applets. The JVM plugin ignores cookies marked 'httponly.'

To resolve the issue

  1. In mod_sso.conf, disable the OssoHTTPOnly off parameter.

  2. Add the required OSSO cookies to the list of possible applet parameters to pass for authentication.

18.6 Oracle Access Manager with Impersonation Workarounds

This section provides the following topics:

18.6.1 Impersonation Can Fail on Internet Explorer v 7, 8, 9

Due to a limitation with the Internet Explorer browser, Impersonation can fail to go to the Consent page when the Impersonatee's userid contains Non-ASCII characters.

Impersonation goes instead to the failure_url if you directly type or paste the starting impersonation URL in the browser.

18.6.2 With Oracle Access Manager 11g ORA_FUSION_PREFS Cookie Domain is Three Dots

With Oracle Access Manager 10g the ORA_FUSION_PREFS cookie domain used the following form (2 dots):

10g Form .example.com

However, Oracle Access Manager 11g localized login accepts only the following format for the ORA_FUSION_PREFS cookie domain (3 dots):

11g Form .us.example.com

For example, if the host name is ruby.us.example.com, Oracle Access Manager 11g creates a cookie with the domain name .us.example.com.

However, the application session creates a cookie with the domain name .example.com, which causes inter-operability failure between Fusion Middleware and the application session using this cookie.

Workaround: Update the FACookieDomain parameter to correspond to 11g requirements, and increment the Version xsd:integer in the oam-config.xml, as shown in this example:

  1. Back up DOMAIN_HOME/config/fmwconfig/oam-config.xml.

  2. Open the file for editing and pay close attention to your changes.

  3. Set FACookieDomain to your domain (with 3 dot separators):

    <Setting Name="FAAppsConfig" Type="htf:map">
         <Setting Name="FACookieDomain" Type="xsd:string">.us.example.com</Setting>
         <Setting Name="FAAuthnLevel" Type="xsd:integer">2</Setting>
         <Setting Name="consentPage" Type="xsd:string">/oam/pages/impconsent.jsp
         </Setting>
    </Setting>      
    
  4. Configuration Version: Increment the Version xsd:integer as shown in the next to last line of this example (existing value (26, here) + 1):

    Example:

    <Setting Name="Version" Type="xsd:integer">
      <Setting xmlns="http://www.w3.org/2001/XMLSchema"
        Name="NGAMConfiguration" Type="htf:map:> 
      <Setting Name="ProductRelease" Type="xsd:string">11.1.1.3</Setting>
        <Setting Name="Version" Type="xsd:integer">26</Setting>
    </Setting>      
    
  5. Save oam-config.xml.

18.7 Documentation Errata

This section provides documentation errata for the following guides:

18.7.1 Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service

There is no documentation errata for this guide.

18.7.2 Oracle Fusion Middleware Developer's Guide for Oracle Access Manager and Oracle Security Token Service

There is no documentation errata for this guide.

18.7.3 Oracle Fusion Middleware Integration Guide for Oracle Access Manager

This section contains documentation errata applicable to the Oracle Fusion Middleware Integration Guide for Oracle Access Manager, part number E15740-04 only.

The following documentation errata are included for this guide:

18.7.3.1 Updates to Prerequisites for OAM-OIM Integration

In the Oracle Fusion Middleware Integration Guide for Oracle Access Manager, part number E15740-04, Chapter 5 Integrating Oracle Access Manager and Oracle Identity Manager, Section 5.2 Prerequisites, Step 8a instructs you to prepare to configure LDAP synchronization (LDAP sync) in the domain where Oracle Identity Manager runs.

Step 8a directs you to Section 14.8.5 Completing the Prerequisites for Enabling LDAP Synchronization of the Oracle Fusion Middleware Installation Guide for Oracle Identity Management, Part Number E12002-09. This may be confusing as some steps of that section (such as creating the OIM user and group) are already complete.

Instead, Step 8a should direct you to Section 14.8.5.2 Creating Adapters in Oracle Virtual Directory of the Oracle Fusion Middleware Installation Guide for Oracle Identity Management, so that you can configure the Oracle Virtual Directory adapter for Oracle Internet Directory.

Also in Section 5.2 Prerequisites, Step 8c instructs you to run a configuration wizard to configure LDAP synchronization (LDAP sync) in the domain where Oracle Identity Manager runs. This step does not work if Oracle Identity Manager was installed without LDAP synchronization enabled.

Instead, Step 8c should direct you to Section 10.1 Enabling Postinstallation LDAP Synchronization of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager, Part Number E14308-08, for the correct procedure to enable LDAP synchronization post-installation.

18.7.3.2 Properties for configOIM Command

Section 5.4, Perform Integration Tasks in Oracle Identity Manager, does not provide definitions of all the properties to be specified in the properties file when executing the -configOIM command in Step 3.

Use the following property definitions to assist you in configuring the properties file of the procedure:

Table 18-1 Properties for configOIM Command

Property Definition

LOGINURI

URI required by OPSS. Default value is /${app.context}/adfAuthentication

LOGOUTURI

URI required by OPSS. Default value is /oamsso/logout.html

AUTOLOGINURI

URI required by OPSS. Default value is /obrar.cgi

ACCESS_SERVER_HOST

Oracle Access Manager hostname.

ACCESS_SERVER_PORT

Oracle Access Manager NAP port.

ACCESS_GATE_ID

The OAM access gate ID to which OIM needs to communicate.

OIM_MANAGED_SERVER_NAME

The name of the Oracle Identity Manager managed server. If clustered, any of the managed servers can be specified.

COOKIE_DOMAIN

Web domain on which the OIM application resides. Specify the domain in the format .cc.example.com.

COOKIE_EXPIRY_INTERVAL

Cookie expiration period. Set to -1.

OAM_TRANSFER_MODE

The security model in which the Access Servers function. Choices are OPEN or SIMPLE.

WEBGATE_TYPE

The type of WebGate agent you want to create. Set to javaWebgate if using a domain agent; set it to ohsWebgate10g if using a 10g WebGate.

SSO_ENABLED_FLAG

Flag to determine if SSO should be enabled. Set to true or false.

IDSTORE_PORT

The port number for the identity store (corresponding to the IDSTORE_DIRECTORYTYPE).

IDSTORE_HOST

The hostname of the identity store (corresponding to the IDSTORE_DIRECTORYTYPE).

IDSTORE_DIRECTORYTYPE

The type of directory for which the authenticator must be created. OID for Oracle Internet Directory; OVD for all other directories.

IDSTORE_ADMIN_USER

User with admin privileges. Note that the entry must contain the complete LDAP DN of the user.

IDSTORE_USERSEARCHBASE

The location in the directory where users are stored.

IDSTORE_GROUPSEARCHBASE

The location in the directory where groups are stored

MDS_DB_URL

The URL for the MDS database.

MDS_DB_SCHEMA_USERNAME

The schema name for the MDS database.

WLSHOST

The WebLogic server hostname.

WLSPORT

The WebLogic server port number.

WLSADMIN

The WebLogic server administrator.

DOMAIN_NAME

The Oracle Identity Manager domain name.

DOMAIN_LOCATION

The Oracle Identity Manager domain location.


18.7.3.3 Updated Example for Integrating OIF/SP

In Section 4.3 Integrate Oracle Identity Federation in SP Mode, under sub-section 4.3.2 Delegate Authentication to Oracle Identity Federation, Step 7c contains an incorrect example of how to update the OIFDAP partner block in the oam-config.xml configuration file. The correct example should be:

registerOIFDAPPartner(keystoreLocation="/scratch/keystore",
logoutURL="http(s)://oifhost:oifport/fed/user/splooam11g?doneURL=
 http(s)://oamhost:oamport/oam/server/pages/logout.jsp", rolloverTime="500")

Note that oifhost and oifport refer to the Oracle Identity Federation server host and port respectively; and oamhost and oamport refer to the Oracle Access Manager server host and port respectively.