This chapter describes issues associated with Oracle Entitlements Server. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
Section 6.1.1, "Tomcat Security Module Fails To Load Custom Attribute Retriever Class"
Section 6.1.3, "Finding Default Oracle Entitlements Server Security Module Certificates"
Section 6.1.4, "Entitlements Server Does Not Recover Connection To Database"
Section 6.1.5, "Policy Simulator Does Not Open Policies Correctly"
Section 6.1.8, "Web Service Fails to Start on WebLogic Server Security Module Managed Server"
Section 6.1.9, "configureSecurityStore.py Fails if env Command Output Includes Empty Line"
Section 6.1.11, "Authorization Policy Creation Error Message in Administration Console"
The Attribute Retriever Interface resides in the JPS JARs which are loaded by the Tomcat "shared" class loader. Thus, JARs that contain your Custom Attribute Retriever Interface implementations should also be loaded by the "shared" class loader or a class loader that has a "shared" class loader for its ancestor. Be sure to put the Custom Attribute Retriever JARs in the proper place based on this scenario.
This version of Oracle Entitlements Server allows the creation of duplicate Resource entries in Entitlements and Policies.
The default Oracle Entitlements Server Security Module (client) certificate is stored in your_oes_sm_folder/oes_sm_instances/your_oes_sm/security/identity.jks and the trusted Certificate Authority (CA) certificates are stored in your_oes_sm_folder/oes_sm_instances/your_oes_sm/security/trust.jks. Both are JKS certificate stores with the passwords set during the creation of the Security Module instance. The password will be encrypted and stored in standard Oracle Wallet (with autologon). The default Oracle Entitlements Server client keys are generated by itself and signed during the enrollment process.
If the Entitlements Server is started when the database hosting the policy store is down, it will not automatically recover once the database is available. Either of the following will rectify this.
Set the database for automatic recovery by defining the following properties:
Connection Creation Retry Frequency is needed if the database will be down before the Administration Server starts.
Test Connections on Reserve is required if the database goes down after a successful Administration Server start.
Restart the Administration Server once the database is live.
If multiple Role Mapping Policies or Authorization Policies are returned as a result of running the Policy Simulator, the correct object reference is not passed and thus, they are not opened correctly. You will see this after clicking Check Access and selecting the Application Roles and Mapping Policies tab. To workaround this issue and open policy details, search for the policies using the Advanced Search screen.
You will get a runtime exception when starting an instance of Oracle Access Manager protected by Oracle Entitlements Server. The exception can be ignored.
Oracle recommends that all customers be on the latest version of OPatch. Please review My Oracle Support Note 224346.1 Opatch - Where Can I Find the Latest Version of Opatch? and follow the instructions to update to the latest version if necessary. For FMW Opatch usage, please refer to the Oracle Fusion Middleware Patching Guide.
If you follow the steps in sections 9.6.2.7, Configuring Oracle Entitlements Server Web Service Security Module on WebLogic High Availability, or 9.6.2.8, Configuring Oracle Entitlements Server WebLogic Security Module High Availability of the Oracle Fusion Middleware High Availability Guide, Web Service fails to start on the WebLogic Server Security Module managed server on the second node. A Java runtime exception error occurs due to a permission issue in the weblogic.policy file.
This error occurs because there is no OES permission in weblogic.policy. To resolve this error, add the following lines on OESHOST2 in MW_HOME/wlserver_10.3/server/lib/weblogic.policy file:
grant codeBase "file:${oes.client.home}/-" {
permission java.security.AllPermission;
};
When the env command is run against wlst.sh configureSecurityStore.py with output containing an empty line, the command will fail. For example:
LANG=en_US.utf8 GNOME_KEYRING_PID=16766 <empty line> PYTHONSTARTUP=/etc/pythonstart
An exception message similar to the following may be seen:
Welcome to WebLogic Server Administration Scripting Shell . Type help() for help on available commands . Info: Data source is: opss-DBDS Info: DB JDBC driver: oracle.jdbc.OracleDriver Info: DB JDBC URL: jdbc:oracle:thin:@hostname.mycompany.com:1521/db10205 Exception in thread "Main Thread" java.lang.NoClassDefFoundError: oracle/security/jps/internal/tools/configuration/ldap/LdapServiceEnabler Caused by: java.lang.ClassNotFoundException:
To workaround this issue, remove the empty line and run the command again. For example:
% unset GNOME_KEYRING_PID % set GNOME_KEYRING_PID=16766
This issue affects the Microsoft Windows platform only. The Security Module Configuration User Interface (SMConfig UI) may contain garbled characters when set to be Asian Locale. This affects Simplified and Traditional Chinese, Japanese and Korean languages.
To workaround this issue, if using another language is acceptable, you can change the user interface language by setting the locale to the VM parameter in oessmconfig.bat. For example, to use English in the US locale:
setting -Duser.language=en -Duser.country=US
When creating an Authorization Policy in the Administration Console, if invalid condition data for certain data types (like DNS) is built using an equals operator ( = ) the following system message is displayed:
application policy - expression encoding error
This error means that the condition was not built correctly therefore the Authorization Policy could not be created. However, this error is difficult to interpret.
To workaround this issue, re-write the condition using a function instead of the equals operator ( = ). For example, if the condition was written as:
DNS_NAME_ONE_AND_ONLY(['www.mycompany.com','www.mycompany.com'])='www.anothercompany.com'
Re-write the conditions as follows:
DNS_NAME_ONE_AND_ONLY(['www.mycompany.com','www.mycompany.com'])=DNS_NAME_FROM_STRING('www.anothercompany.com')
This section describes configuration issues and their workarounds. It includes the following topics:
Section 6.2.1, "Config Security Store Fails To Create Policy Store Object"
Section 6.2.2, "Use Absolute Paths While Running configureSecurityStore.py With -m Join"
Section 6.2.3, "Wrong Type Defined For PIP Service Provider After Adding PIP Attribute"
Typically, the policy store will recover while its associated database is recovered. If error messages in the WebLogic Server Administration Console document that the data source could not be found in the WebLogic Server, check the data source configuration with WebLogic Developer, retrieve the details of the data source configuration and set the 'Initial Capacity' property to 0; this ensures that the data source will recover while the database starts up.
The Config Security Store fails to create the policy store object when using variables such as ORACLE_HOME and MW_HOME while running wlst.sh using configureSecurityStore.py with -m join. Always use absolute paths for ORACLE_HOME and MW_HOME while running the command for -m join.
The pip.service.provider parameter in jps-config.xml is required for PIP attributes. When a jps-config.xml file without a service provider entry for the pip.service.provider parameter is fed to the Administration Console and some PIP attributes are added, a service provider value is automatically added to the pip.service.provider with its type defined as AUDIT rather than PIP. In this scenario, after saving jps-config.xml, check for the created service provider and manually change the type from AUDIT to PIP.
This step is not required if the service provider is already present before the Administration Console touches the file. Additionally, the Administration Console will not overwrite a service provider entry that is correctly created. This issue only happens when the Administration Console has to add a service provider because of its absence.
When you start the Oracle Entitlement Server domain after creating a new WebLogic domain for Oracle Entitlement Server using the Oracle Entitlements Server Derby Template, the console displays an error message.
This is because the Oracle Entitlements Server Derby Template does not deploy the IDS task flows, by default.
Workaround:
Deploy the $IDM_HOME/modules/oracle.idm.ids.config.ui_11.1.2/oracle.idm.ids.config.ui.war as a shared library.
Restart the WebLogic Server domain for Oracle Entitlements Server.
Log in to the Oracle Entitlements Server Administration Console using the following URL:
http://hostname:port/apm/
This section contains documentation errata for the following document:
The online help system contains an older version of Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server. Refer to information in the latest document version available on Oracle Technology Network.