5 Oracle Access Management

This chapter describes issues associated with Oracle Access Management. It includes the following topics:

Note:

For late-breaking changes and information, see My Oracle Support document ID 1537796.1.

5.1 General Issues and Workarounds

This section describes general issues and workarounds organized around specific services. To streamline your experience, only services with a general issue are included. If you do not find a service-related topic (Security Token Service, for example), there are no general issues at this time.

The following topics are included:

5.1.1 General Issues and Workarounds: Access Manager

This topic describes general issues and workarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics:

5.1.1.1 LDR_PRELOAD64 Flag Required For WebGate Agent With AIX 6.1 & 7.1

Support for WebGate agents using the Apache 2.2 server on AIX 5.3, 6.1 and 7.1 has been added. The Apache Server will not start or work (with AIX 6.1 and 7.1) unless the LDR_PRELOAD64 flag is set using the following command:

export LDR_PRELOAD64=libclntsh.so

5.1.1.2 ASDK Returns Incorrect Version Details

The 11gR2 PS1 ASDK has incorrect version details:

  • The getSDKVersion() API returns a 11.1.2.0.0 value instead of a 11.1.2.1.0 value.

  • The name of the ofm_oam_sdk_generic_11.1.2.1.0_disk1_1of1.zip disk might be ofm_oam_sdk_generic_11.1.2.0.0_disk1_1of1.zip.

5.1.1.3 Benign Exceptions Observed

The following benign exception might be seen on the Administration and Managed servers. It can be ignored.

java.lang.NoClassDefFoundError:
oracle/security/am/engines/rreg/common/RegistrationRequest
  at java.lang.Class.getDeclaredMethods0(Native Method)
  at java.lang.Class.privateGetDeclaredMethods(Class.java:2427)
  at java.lang.Class.privateGetPublicMethods(Class.java:2547)
  at java.lang.Class.getMethods(Class.java:1410)
  at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap.
    isBootstrapCandidate (AMBootstrap.java:191)
  at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap.
    invokeBootstrapMethods(AMBootstrap.java:146)
  at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap.
    doServerBootstrap(AMBootstrap.java:106)
  at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap
    load(AMBootstrap.java:247)

The following benign exception is seen in the AdminServer-diagnostic.log file. It does not impact the Administration Console functionality and can be ignored.

oracle.mds.exception.ReadOnlyStoreException: MDS-01273: 
  The operation on the resource /oracle/oam/ui/adfm/DataBindings.cpx failed 
  because source metadata store mapped to the namespace / DEFAULT is read only.
  at
oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(MDSSession.java:2495)
  at
oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(MDSSession.java:2548)
  at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:3493)
  at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1660)
  at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1546)
  at oracle.adfdt.model.mds.MDSApplicationService.findApplication
     (MDSApplicationService.java:57)
  at oracle.adfdt.model.mds.MDSModelDesignTimeContext.initServices
     (MDSModelDesignTimeContext.java:232)
  at oracle.adfdt.model.mds.MDSModelDesignTimeContext.<init>
     (MDSModelDesignTimeContext.java:82)
  at oracle.adfdt.mds.MDSDesignTimeContext.<init>
     (MDSDesignTimeContext.java:66)         
  at oracle.adf.view.rich.dt.DtAtRtContext.<init>
     (DtAtRtContext.java:22)
  at oracle.adf.view.rich.dt.Page.<init>(Page.java:535)
  at oracle.adf.view.rich.dt.Page.getInstance(Page.java:80)
  at oracle.adf.view.page.editor.customize.ComposerPageResolver.getPageObject
     (ComposerPageResolver.java:200)
  at oracle.adfinternal.view.page.editor.contextual.event.ContextualResolver.
     getPageDefinition(ContextualResolver.java:1229)
  at oracle.adfinternal.view.page.editor.contextual.event.ContextualResolver.
     <init>(ContextualResolver.java:129)

5.1.1.4 Can't Use WLST Commands For Federated SSO Password Policy

WLST commands cannot be used for adding, editing or deleting the federated SSO password policy profile until the following modifications have been made to the oam-config.xml file manually.

  1. Back up the existing oam-config.xml file.

  2. Find Setting Name="UserProfileInstance" in the file and add the following entry as a child of the "UserProfileInstance" setting.

    <Setting Name=""NEW_PROFILE" Type="htf:map">
  <Setting Name="PasswordPolicyAttributes" Type="htf:map">
   <Setting Name="FORCED_PASSWORD_CHANGE" Type="xsd:boolean">true</Setting>
   <Setting Name="USER_ACCOUNT_DISABLED" Type="xsd:boolean">true</Setting>
   <Setting Name="PASSWORD_EXPIRED" Type="xsd:boolean">true</Setting>
   <Setting Name="TENANT_DISABLED" Type="xsd:boolean">true</Setting>
   <Setting Name="USER_ACCOUNT_LOCKED" Type="xsd:boolean">true</Setting>
  </Setting>
</Setting>

    For edit and delete, the changes should be made on the existing profile entry in oam-config.xml.

  3. Increment the oam-config.xml "Version" setting and persist the changes.

5.1.1.5 Exception Logged on Accessing Resource

A CertPathValidatorException is seen in the Access Manager diagnostic log when accessing a Resource. For example:

[2013-03-12T21:39:09.281-07:00] [oam_server1] [ERROR] [OAMSSA-12117]
[oracle.oam.engine.authn] [tid: WebContainer : 3] [ecid: disabled,0]
[APP: oam_server_11.1.2.0.0] Cannot validate the user certificate.[[
java.security.cert.CertPathValidatorException: The certificate issued
by O=My Company Ltd, L=Newbury, ST=Berkshire, C=GB is not trusted;
internal cause is:
  java.security.cert.CertPathValidatorException: Certificate chaining error
  at
com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111) at

5.1.1.6 Can't Get Static Method UserSession.getSessionAttributes()

The static getSessionAttributes() method does not retrieve all Session attributes for a user - only those which have been set using the ASDK.

5.1.1.7 Consecutive Logins in Multiple Tabs Doesn't Work for WebGate

FORM Cache Mode should be used to support multi-tab browser behavior. By default, it is set to COOKIE Mode.

5.1.1.8 Unsupported Items in WebSphere Trust Association Interceptor

The following items are unsupported in the Access Manager WebSphere Trust Association Interceptor (TAI) when compared to the Access Manager WebLogic Server Id Asserter.

  • Access Manager WAS TAI does not support SAML assertions based on the OAM_IDENTITY_ASSERTION header.

  • OAM WAS TAI does not support the Identity Context. Identity Context is supported based on the OAM_IDENTITY_ASSERTION header by Access Manager WebLogic Server Identity Asserter.

5.1.1.9 Logged Error During OAM Server Configuration Test

After running idmConfigTool.sh -configOAM, two WebGate profiles are created: Webgate_IDM and Webgate_IDM_11g; both are 11g. When validating each Access Manager server configuration using the oamtest tool, the Administration Console displays the connection status correctly but a long error/exception for each Webgate is logged. This error log is expected and can be ignored.

5.1.1.10 Simple Policy Not Migrated After Complete Migration

When performing a fresh incremental migration or a delta incremental migration after a complete migration, Simple Policy are not migrated. This issue is due to a Maximum Session Time lapse. Either restart the Administration Server or change the value of Maximum Session Time to more than 120 minutes.

5.1.1.11 Available Services Page Won't Open In Localized Internet Explorer 9

When accessing the OAM Administration Console localized for cn or jp using Internet Explorer 9, double-clicking the Available Services text will not open the related page. Clicking the folder icon as opposed to the text will work. Or use Internet Explorer 8 or Firefox to workaround. If it works when using Internet Explorer 7, you can force OAM to run in Explorer 7 compatibility mode. See the PDF called Run ADF Faces applications with IE 9 in IE 8 compatibility mode at Oracle Technology Network.

5.1.1.12 Running the Custom RSAPlugin.jar

The RSA plugin has been removed as a system plugin. The functionality can still be accessed by installing and using a custom RSA plugin. These steps should be followed to run a custom RSA plug-in, located in <ORACLE_HOME>/oam/custom_plugins/rsa/RSAPlugin.jar.

  1. Download the RSA dependent libraries named authapi.jar and cryptoj.jar.

  2. Add the authapi.jar and cryptoj.jar libraries to <DOMAIN_HOME>/config/fmwconfig/oam/plugin-lib.

  3. Get the custom RSAPlugin.jar file from it's directory and import the plugin to add it to the list of custom plugins.

  4. Once successfully imported, distribute and activate the plug-in.

    Activation will fail the first time. When it does, restart the server and activate again. After activation, use the plugin to specify the necessary orchestration steps.

5.1.1.13 Create Provider Manually When Extending OIM Domain

If extending the Oracle Identity Manager domain by adding Oracle Access Management Access Manager, the 'OIMAuthenticationProvider' will be deleted. When integrating OIM and OAM using idmConfigTool -configOIM, providers are automatically reordered as required. If not using idmConfigTool -configOIM, the provider needs to be created manually.

5.1.1.14 Unable to Access "/" Context Root if Protected by OSSO Agent for 11g OHS

mod_osso agents shipped with 11g OHS cannot be configured to protect the @ context root '/'.

5.1.1.15 Starting Access Manager When Protected by Oracle Entitlements Server Throws Exception

You will get a runtime exception when starting an instance of Access Manager protected by Oracle Entitlements Server. The exception can be ignored.

5.1.1.16 Access Tester Does Not Work with Non-ASCII Agent Names

Register a Webgate with Access Manager using a non-ASCII name. In the Access Tester, enter the valid IP Address, Port, and Agent ID (non-ASCII name), then click Connect.

Connection testing fails.

5.1.1.17 Authentication Fails: WNA Challenge, Active Directory, Users with Non-ASCII Characters

Configure Access Manager to use Kerberos Authentication Scheme with WNA challenge method, and create a non-ASCII user in Microsoft Active Directory.

Problem

An exception occurs when trying to get user details to populate the subject with the user DN and GUID attributes. Authentication fails and an error is recorded in the OAM Server log when a non-ASCII user in Active Directory attempts to access an Access Manager-protected resource:

... Failure getting users by attribute : cn, value ....

Cause

The username in the attribute is passed without modification as a java string.

Solution

Non-ASCII users can access the resource protected by Kerberos WNA scheme by applying the following JVM system property in the startManagedWeblogic.sh script in $DOMAIN_HOME/bin:

-Dsun.security.krb5.msinterop.kstring=true

5.1.1.18 Simple Mode is Not Supported for JDK 1.6 and AIX

Simple mode is not supported with JDK 1.6 and on AIX platforms. Use Open or Cert mode instead.

5.1.1.19 User Might Need to Supply Credentials Twice with DCC-Enabled Webgate

Problem

When you have a Detached Credential Collector-enabled Webgate combined with a resource Webgate, the user might have to provide credentials twice. This can occur when login is triggered with a URL that results in an internal forward by Oracle HTTP Server.

Workaround

To resolve this issue, you can use following workaround:

  1. Edit the httpd.conf file to add rewrite rules that redirect the browser for directory access (before Webgate configuration include) For example:

    RewriteEngine On
RewriteRule     ^(.*)/$         "$1/welcome-index.html"      [R]

  2. SSL-enabled Web server: Repeat these rules under SSL configuration.

5.1.2 General Issues and Workarounds: Security Token Service

This topic describes general issues and workarounds for Oracle Access Management Security Token Service (Security Token Service). It includes the following topics:

5.1.2.1 STS Does Not Honor The Lifetime Sent In RequestSecurityToken

Security Token Service does not process the Lifetime sent in the WS-Trust RequestSecurityToken message. Rather, the WS-Trust RequestSecurityTokenResponse contains the Lifetime per the configured token validity time in the Oracle Security Token Service Issuance Template.

5.1.2.2 Click On Security Token Service Column Throws Exception

When adding a new Attribute Name Mapping during the creation of a New Requester Profile in the Security Token Service section of the Access Manager Administration Console, an error message indicating an Unsupported Operation Exception can be displayed when clicking twice on a column titled Row No.

5.1.2.3 Issues with Searches and Non-English Browser Settings

Security Token Service searches might not return the expected result when the browser language is set to a non-English language. For example, this occurs when setting the:

  • Partner Type field to Requester, Relying Party or Issuing Authority in the Requesters, Relying Party or Issuing Authorities screens

  • Token Type to Username on the Token Issuance Templates screen when the Oracle Access Manager Administration Console browser setting is non-English

  • Token Type to Username on the Token Validation Templates screen when the Oracle Access Manager Administration Console browser setting is non-English

When the browser language is English, the search returns expected results.

5.1.3 General Issues and Workarounds: Identity Federation

This topic describes general issues and workarounds for Oracle Access Management Identity Federation (Identity Federation). It includes the following topic:

5.1.3.1 Errors when Webgate has Credential Collector Option Enabled

This problem is seen in the following situation:

  • Webgate fronts a resource.

  • The "Allow Credential Collector Operations" option is checked for that Webgate.

  • The resource is protected by a policy using FederationScheme.

Due to this issue, when requesting access to the resource, the server returns a 200 with a URL where the browser will post the request to that URL using the POST, while the browser should have been redirected through a 302.

To resolve this issue, for Webgate agents fronting resources protected with the FederationScheme, disable the "Allow Credential Collector Operations" option.

5.1.4 General Issues and Workarounds: Mobile and Social

This topic describes general issue and workarounds for Oracle Access Management Mobile and Social. It includes the following topics:

5.1.4.1 Mobile and Social Does not Support the Native Android OS Browser

Mobile and Social supports the Mozilla Firefox and Google Chrome browsers on Android devices. The following issues are known to occur if the native Android OS browser is used.

  • The login web page rendered by the native browser does not allow the user to enter a username or password.

  • If a mobile single sign-on app is not installed on the mobile client, the native Android browser is unable to redirect the user to a page where the user can authenticate. This is due to a limitation in the native browser's JavaScript support.

5.1.4.2 Internet Explorer Users Need to Enable Protected Mode

Internet Explorer users who do not enable Protected Mode cannot sign in with an Internet Identity Provider. Instead, an empty page will display.

To work around this issue in Internet Explorer versions 8 and 9, enable Protected Mode:

  1. From the Internet Explorer menu choose Tools > Internet Options > Security.

  2. Select Enable Protected Mode and restart the browser.

5.1.4.3 Google Language Menu can Cause the Sign-in Page Flow to Display in Multiple Languages

If a user who signs in with Google selects a different language from the on-screen menu, Google redirects the page request outside of the request flow managed by Mobile and Social. Consequently, the log-in pages that Google generates may be in a different language than the pages generated by Mobile and Social. Mobile and Social provides translated pages based on the browser's language settings. To avoid having pages display in different languages, users should only use their browser's preferred language settings to make changes.

5.1.4.4 The Mobile and Social Settings Pane can be Dragged out of View

In the Oracle Access Management console, when viewing the "Mobile and Social Settings" tree in the navigation pane, it is possible to click and drag the contents of this pane out of view.

To workaround this issue refresh the page or logout and login again.

5.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds organized around specific services. To streamline your experience, only services with an issue are included. For example, Identity Context has no known issues at this time and is not included. The following topics are included:

5.2.1 Configuration Issues and Workarounds: Access Manager

This topic describes configuration issues and workarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics:

5.2.1.1 OAM Migration Doesn't Create All Data Sources

If the OAM 10g environment that is being migrated to 11g has multiple database instances configured in a Directory Server Profile and some of them share the same displayName value, the migration process does not convert all of the database instances in Data Sources to the new environment. To workaround, rename the 10g environment database instances such that no two instances in the Directory Server Profile have the same displayName value.

5.2.1.2 Password Validation Scheme Defaults to LDAP after Upgrade

After upgrading Access Manager to version 11gR2 PS1, the Password Validation Scheme is not set to the Password Policy Validation Module. Use the Console to set the Password Validation Scheme to the Password Policy Validation Module.

5.2.1.3 Using Plugins Between IBM HTTP Server and WebSphere

Communication between the IBM HTTP Server (IHS) and WebSphere Application Server (WAS) is made possible by installing and configuring plugins that are available with IHS. The following steps describe the installation and configuration process.

  1. During IHS installation, install the out-of-the-box plugin.

  2. After installation, navigate to the IHS plugin directory at (for example, $IHS_HOME\Plugins\config\webserver1) and verify that the plugin-cfg.xml configuration file is available.

  3. Modify plugin-cfg.xml as follows and save the file.

    1. Add the virtual host ports from which IHS can be accessed.

      <VirtualHostGroup Name="default_host">
<!-- Include active IHS port details required for connecting to OAM on WAS -->
<!--  <VirtualHost Name="*:9004"/> -->
  <VirtualHost Name="*:8080"/>
    <VirtualHost Name="*:17777"/>
</VirtualHostGroup>

    2. Add <ServerCluster> with the appropriate details comprising of the respective server entries where the resource is deployed.

    3. Add <UriGroup> tag for the respective serverclusters.

      <UriGroup Name="oamserver1_Cluster_URIs">
    <Uri Name="/oam/*"/>
</UriGroup>

    4. Add the corresponding <Route> tag for the respective <UriGroup> tag.

      <Route ServerCluster="oamserver1_Cluster" 
  UriGroup="oamserver1_Cluster_URIs" VirtualHostGroup="default_host"/>

  4. Add the respective VirtualHost entries in WebSphere by navigating to Environment ->Virtual Hosts -> default_hosts -> Host Alias using the IBM console.

5.2.1.4 Using ObAccessClient Results in SDK Initialization Failure

Using an ObAccessClient (created with the 11.1.1.5.0 Access Manager Console) to create the AccessClient for the 11g ASDK (11.1.1.7.0, 11.1.2.0.0 and above) results in the following error because the older ObAccessClient.xml file has Boolean settings expressed as true/false rather than numeric:

oracle.security.am.asdk.AccessClient initialize SEVERE: 
    Oracle Access SDK initialization failed.

To workaround, copy the original (older) ObAccessClient.xml from DOMAIN_HOME/output/AGENT_NAME to the ASDK configuration directory (configLocation). You may also manually edit the newer ObAccessClient.xml to change the Boolean values ("true/false") to numeric values (0/1).

5.2.1.5 Configuring oamtai.xml for Multiple WebGates

There is only one oamtai.xml file for a single WebSphere instance. In a case where the deployment contains multiple WebGate profiles protecting applications deployed on the same WebSphere application server - for example, a mix of 10g and 11g WebGates - the OAM Trust Association Interceptor is required to be configured as below.

  • Irrespective of the number of Webgates in the deployment, the agent profile defined in the file should be an OAM10g type.

  • The assertion type should be defined as HeaderBasedAssertion.

5.2.1.6 obLockedOn Attribute Missing From Oracle Internet Directory

After upgrading Access Manager from 11gR2 to 11gR2 PS1, the obLockedOn attribute will be missing from the Oracle Internet Directory. Use the following steps to add this attribute back to the OID.

  1. Manually add the obLockedOn attribute to the schema.

  2. Import the LDIF to OID using the ldapmodify command.

  3. Edit the oam_user_write_acl_users_oblockedon_template.ldif to give oamSoftwareUser permission to modify obLockedOn.

    Replace %s_UsersContainerDN% with User Search Base and replace %s_GroupsContainerDN% with Group Search Base.

  4. Import the modified oam_user_write_acl_users_oblockedon_template.ldif.

5.2.1.7 OAM 10g Webgates Used with OAM 11g Need Javascript

When Oracle Access Manager 10g Webgates are used with Oracle Access Management 11g, the webgate_install_directory/oamsso/logout.html page needs JavaScript code to initiate redirection to the Oracle Access Management 11g server logout page. This page, after logging out with the Webgate cookie also clears the 11g session. When migrating Oracle Access Manager 10g Webgates, follow the procedure documented in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

5.2.1.8 Enabling OpenSSO Agent Configuration Hotswap

To enable OpenSSO Agent configuration hotswap, make sure the opensso agents have the following properties in the Miscellaneous properties section of the agent's registration in the OpenSSO Proxy on OAM Server, and the agent servers are restarted:

J2ee Agents: com.sun.identity.client.notification.url =http://<AGENT_SERVER_HOST>:<AGENT_SERVER_PORT>/agentapp/notification

Web Agents:

com.sun.identity.client.notification.url=http://<AGENT_SERVER_HOST>:<AGENT_SERVER_PORT>/UpdateAgentCacheServlet?shortcircuit=false

Not Supported for Web Agents: com.sun.identity.agents.config.change.notification.enable=true

Restart the OAM Server hosting the agent.

5.2.2 Configuration Issues and Workarounds: Security Token Service

This topic describes configuration issues and their workarounds for Oracle Access Management Security Token Service (Security Token Service). It includes the following topics:

5.2.2.1 Create Like (Duplicate) Does Not Copy All Properties of Original Template

Security Token Service Create Like (duplicate) button does not copy some properties on the original Issuing Authority Profile template (the Security and Attribute Mapping sections, for instance).

The Administrator must manually enter the necessary configuration items into the newly created Issuing Authority Profile:

  1. From the Oracle Access Management Console System Configuration tab, Security Token Service section, go to Issuance Templates.

  2. Select an existing Issuance Template Click the Create Like (duplicate) button.

  3. Create the new copied Issuance Template and manually enter the necessary configuration items in the newly created Template.

5.2.2.2 No Console Support Removing Partner Encryption or Signing Certificates

Oracle Access Management Console does not provide a way to remove a signing or encryption certificate that was set for an Security Token Service Partner.

The Administrator must manually delete these using the following WLST commands:

To delete the signing certificate of an Security Token Service Partner

deletePartnerSigningCert

To delete the encryption certificate of an Security Token Service Partner

deletePartnerEncryptionCert

5.2.3 Configuration Issues and Workarounds: Identity Federation

This topic describes configuration issues and their workarounds for Oracle Access Management Identity Federation (Identity Federation). It includes the following topics:

5.2.3.1 Provider Search Text Fields do an Exact Match Search

Users should be aware that in the Oracle Access Management Console, the Identity Provider search screen does an exact match (==) for the ProviderId and Partner name fields, rather than a "contains" search.

Although it is an exact match, the user can employ "*" as a wild card in searches.

5.2.3.2 Incorrect Error Message when an Invalid Signing Certificate is Uploaded

While creating/editing an IdP, if you upload an invalid file for a signing certificate, you will see a Null pointer exception error message instead of a proper message indicating that the file does not contain a certificate.

5.2.4 Configuration Issues and Workarounds: Mobile and Social

This topic describes configuration issues and their workarounds for Oracle Access Management Mobile and Social (Mobile and Social). It includes the following topics:

5.2.4.1 Moving Mobile and Social From a Test to Production Environment on IBM WebSphere

The following steps describe how to copy Mobile and Social from a test environment to a production environment.

Important:

Complete these steps after you finish moving Access Manager from the test environment to the production environment. For more information, see "Moving Access Manager From a Test to Production Environment on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide.

  1. Update oam-config.xml in the production environment with the secretKey value from the test environment.

    1. In the test environment, use a text editor to open oam-config.xml in the fmwconfig directory and, for object accessgate-oic, copy the value of the secretKey attribute.

      For example:

      <Setting Name="accessgate-oic" Type="htf:map">
  <Setting Name="ConfigurationProfile" Type="xsd:string">DefaultProfile</Setting>
  <Setting Name="aaaTimeoutThreshold" Type="xsd:string">-1</Setting>

      ...

        <Setting Name="secretKey" Type="xsd:string">A686408D1020B93EAA8B411EE0137847FD2968D1285A2A37BB0BE0B00238F50464E9C01EB3E5319AED6D7CAC81BD9FF7</Setting>

    2. In the production environment, use a text editor to open oam-config.xml in the fmwconfig directory and, for object accessgate-oic, replace the value of the attribute secretKey with the value from the test host.

  2. Copy the idaas.xml, oauth.xml, and oic_rp.xml files from the test environment fmwconfig directory to the production environment fmwconfig directory.

  3. In the production environment, edit the host and port information as appropriate in oic_rp.xml.

    Search for the name of the test host and replace it with the name of the production host. Verify that the port number is correct for the host URL.

    For example:

    <SystemConfiguration>
        <hostURL>https://prod123.example.com:14101</hostURL>

  4. Stop the node manager.

    Synchronize the node and start the node manager.

  5. Restart the oam_server1 and OracleAdminServer applications.

5.2.4.2 Steps Required to Localize the Register Page

Because of a design change, attribute names on the Register page are in English and are not localized to other languages. To translate this page, use the following steps to modify the attribute name values using the Oracle Access Management console.

  1. In the Oracle Access Management console, open the Application Profile under Internet Identity Services, for example OAMApplication.

  2. Go to the User Attribute Display Name list in the Registration Service Details with Application User Attribute Mapping section.

    Replace the values in English with localized values.

  3. Save your changes by clicking Apply on the OAMApplication page.

  4. Open the Register page and confirm that the page shows the correct localized values.

5.2.4.3 Mobile Clients do not Translate Error Messages Sent by the Server

The Mobile and Social server sends error messages to the mobile clients in the language that is configured in the server locale language settings. The mobile clients cannot translate server error messages to a different language.

5.2.4.4 Yahoo Identity Provider Does not Return First Name and Last Name

The Yahoo Internet identity provider does not return firstname and lastname values following user authentication. To work around this issue, change the following Mobile and Social mappings in the Oracle Access Management console:

  1. Open the Application Profile for editing.

    Click Next until the Internet Identity Provider configuration page opens.

  2. Open the Application User Attribute Vs Internet Identity Provider User Attributes Mapping section.

  3. In the Attribute Mapping section, click Yahoo to select it in the Internet Identity Provider list.

  4. Configure the values as follows:

    • Locate firstname in the Application User Attribute column and in the corresponding Internet Identity Provider User Attributes column, choose nickname.

    • Locate lastname in the Application User Attribute column and in the corresponding Internet Identity Provider User Attributes column, choose fullname.

  5. Save the Application Profile.

5.2.4.5 Once Set, Jail Breaking "Max OS Version" Setting Cannot be Empty

Once you assign a value to the Jail Breaking Detection Policy "Max OS Version" setting, you cannot remove the value and leave the field empty. Per the documentation, the Max OS Version field is used to configure the maximum iOS version to which the Jail Breaking policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to any iOS version higher than the value specified for Min OS Version. Once set, however, the value cannot go back to being empty. To work around this issue, set a value for the Max OS Version field.

5.2.4.6 Additional Configuration Required After Running Test-to-Production Scripts

When moving Mobile and Social from a test environment to a production environment, complete the following configuration steps on each production machine after running the Test-to-Production scripts:

  1. Launch the Oracle Access Management Console.

  2. On the Policy Configuration tab, choose Shared Components > Authentication Schemes > OIC Scheme and click Open.

    The Authentication Schemes configuration page opens.

    Update the Challenge Redirect URL value to point to the production machine, not the test machine, then click Apply.

    For example: https://production_machine:port/oic_rp/login.jsp

  3. Update the Mobile and Social credential store framework (CSF) entry to point from the test machine to the production machine. To do this, run the following WLST command:

    createCred(map="OIC_MAP", key=" https://<production machine host>:<production machine port>/oam/server/dap/cred_submit ", user="="<description>", password=" DCC5332B4069BAB4E016C390432627ED", desc="<description>");

    For password, use the value from oam-config.xml, which is located in the domain home/config/fmwconfig directory on the production machine. Use the value from the RPPartner entry, TapCipherKey attribute.

  4. In the Oracle Access Management Console, do the following:

    1. Select the System Configuration tab.

    2. Choose Mobile and Social > Internet Identity Services.

    3. In the Application Profiles section, select OAMApplicaton and click Edit. (If using an application profile name other than OAMApplication, edit that instead.)

    4. Update the Registration URL field host name and port to point to the production machine.

      Click Apply.

5.3 Oracle Access Management Console Issues

This section documents issues that affect the Oracle Access Management Console. It includes the following topics:

5.3.1 Messages Sent From the Server to the Client Can Appear in a Foreign Language

If the OAM Server and the Oracle Access Management Console client are configured for different locales, the server will report error messages to the client in whichever language the server is configured for.

5.4 Documentation Errata

Oracle manuals describing and showing Oracle Access Management 11.1.2 and related services, including these Release Notes, incorrectly refer to the OAM Server (the former name of the Access Manager Server). However, in the next release of Oracle 11.1.2 books, the term OAM Server will be replaced by AM Server (Access Manager Server).

This section describes documentation errata for Oracle Access Management-specific manuals. It includes the following titles:

5.4.1 Oracle Fusion Middleware Administrator's Guide for Oracle Access Management

Documentation errata for Oracle Fusion Middleware Administrator's Guide for Oracle Access Management is organized into the following topics:

5.4.1.1 Max Session Time Element Description Update

The description of the Max Session Time element in Chapter 14 Registering and Managing OAM 11g Agents has been updated.

5.4.1.2 Creds Parameter Lists 10g and 11g Format Without Specifics

Format of creds= challenge parameter lists 10g format (creds:source$name) in an 11g book. The 10g format was removed and text added to explain 11g format.

5.4.1.3 Incorrect OpenSSO Agent Configuration Directory Documented

Replaced the incorrect configuration directory path WebTier_Middleware_Home/Oracle_WT1/instances1/config/OHS/ohs1/config/ with the correct one: PolicyAgent-base/AgentInstance-Dir/config

5.4.2 Oracle Fusion Middleware Developer's Guide for Oracle Access Management

There are no documentation errata for Oracle Fusion Middleware Developer's Guide for Oracle Access Management.