This chapter describes issues associated with Oracle Identity Manager. It includes the following topics:
This section describes patch requirements for Oracle Identity Manager 11g Release 2 (11.1.2). It includes the following sections:
Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)
Patch Requirements for Oracle Database 10g (10.2.0.3 and 10.2.0.4)
To obtain a patch from My Oracle Support (formerly OracleMetaLink), go to following URL, click Patches and Updates, and search for the patch number:
Table 10-1 lists patches required for Oracle Identity Manager 11g Release 2 (11.1.2) configurations that use Oracle Database 11g (11.1.0.7). Before you configure Oracle Identity Manager 11g, be sure to apply the patches to your Oracle Database 11g (11.1.0.7) database.
Table 10-1 Required Patches for Oracle Database 11g (11.1.0.7)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
UNIX / Linux |
7614692: BULK FEATURE WITH 'SAVE EXCEPTIONS' DOES NOT WORK IN ORACLE 11G |
|
7000281: DIFFERENCE IN FORALL STATEMENT BEHAVIOR IN 11G |
|
|
8327137: WRONG RESULTS WITH INLINE VIEW AND AGGREGATION FUNCTION |
|
|
8617824: MERGE LABEL REQUEST ON TOP OF 11.1.0.7 FOR BUGS 7628358 7598314 |
|
|
Windows 32 bit |
8689191: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS 32 BIT |
|
Windows 64 bit |
8689199: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS (64-BIT AMD64 AND INTEL EM64T) |
Note:
The patches listed for UNIX/Linux in Table 10-1 are also available by the same names for Solaris SPARC 64 bit.If you are using Oracle Database 11g (11.2.0.2.0), make sure that you download and install the appropriate version (based on the platform) for the RDBMS Patch Number 9776940. This is a prerequisite for installing the Oracle Identity Manager schemas.
Table 10-2 lists the patches required for Oracle Identity Manager 11g Release 2 (11.1.2) configurations that use Oracle Database 11g Release 2 (11.2.0.2.0). Make sure that you download and install the following patches before creating Oracle Identity Manager schemas.
Table 10-2 Required Patches for Oracle Database 11g (11.2.0.2.0)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
Linux x86 (32-bit) Linux x86 (64-bit) Oracle Solaris on SPARC (64-bit) Oracle Solaris on x86-64 (64-bit) |
RDBMS Patch#13004894. |
|
Microsoft Windows x86 (32-bit) |
Bundle Patch 2 [Patch#11669994] or later. The latest Bundle Patch is 4 [Patch# 11896290]. |
|
Microsoft Windows x86 (64-bit) |
Bundle Patch 2 [Patch# 11669995] or later. The latest Bundle Patch is 4 [Patch# 11896292]. |
|
All platforms |
Patch 12419331: Database PSU 11.2.0.2.3 on top of 11.2.0.2.0 Base Release. |
If this patch is not applied, then problems might occur in user and role search and manager lookup. In addition, search results might return empty result.
Table 10-3 lists the patch required for Oracle Identity Manager 11g Release 2 (11.1.2) configurations that use Oracle Database 11g (11.2.0.4.0).
In Oracle Database 10g, problems are encountered when creating materialized view using CONNECT_BY_ROOT clause. This is because the CONNECT_BY_ROOT operator is not available in Oracle Database 10g (10.2).
To resolve this issue, use the patches listed in Table 10-4:
Table 10-4 Required Patches for Oracle Database 10g (0.2.0.3 and 10.2.0.4)
| Oracle Database Release | Patch Number and Description on My Oracle Support |
|---|---|
|
10.2.0.3.0 |
7012065: BLR BACKPORT OF BUG 6908967 ON TOP OF VERSION 10.2.0.3.0 (BLR #81973) |
|
10.2.0.4.0 |
8239552: BLR BACKPORT OF BUG 6908967 ON TOP OF 10.2.0.4.0 (BLR #113173) |
While applying the patch provided by Oracle Identity Manager, the following error is generated:
ApplySession failed: ApplySession failed to prepare the system.
OPatch version 11.1.0.8.1 must be upgraded to version 11.1.0.8.2 to meet the version requirement.
See "Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)" for information about downloading OPatch from My Oracle Support.
To run the Oracle Identity Manager Reports on BI Publisher 11g (11.1.1.6.0), the following patch must be applied on top of BI Publisher 11.1.1.6.0:
p14088000_11g_Generic.zip
This section describes general issue and workarounds. It includes the following topic:
Auto-Logged In User is Logged Out After the Cookie Expiry Interval of 120 Seconds
Organizations Not Created Because of AD Organization Reconciliation Run
The SodCheckViolation Field of the Process Form is Not Updated for Request Provisioning
Modification of Disabled Account and Requesting Entitlement for the Account is Allowed
The Refresh Button is Truncated in Some Pages of the Oracle Identity Self Service
Provisioning of Application Instance with AD User Resource Object Does not Work
Some Attestation Pages Do Not Work in Mozilla Firefox and Google Chrome
Error Generated if a User is Created When the Corresponding LDAP Container Does Not Exist
Custom Scheduled Jobs Fail Because of Dependency on Legacy APIs
Soft-Deleted Entitlement is Provisioned by Access Policy-Based Provisioning
Heterogeneous Request for Entitlements Without Primary Account Can Be Submitted
Existing Data for Administrators Role Grant Does Not Sync After Applying Patch 14591093
The Reset Button in the Resource Object Lookup Redirects to Basic Search
Error in Entitlement Provisioning for Manually Created Resource Object
Values in Dependent Combo Box Not Displayed On Selecting Value in Parent Combo Box
QBE Returns No Result When User Has No Permission on Organization of the Requester
Lookup for Entitlements Must Be Searchable and Searchable Lookup
No Actions for Create To-Do Task and Create Subtask Menu Items
Length of Attribute Value Changes on Updating the Form Field
Initiated Tasks and Administrative Tasks in the Pending Approvals Page Not Used
Possible Suboptimal SQL in Target Resource Reconciliation Run
Some Special Characters Do Not Work Directly in Catalog Search
Manual Fulfillment Task Not Initiated for Entitlement Provisioning
Form Fields Displayed For Disable/Enable/Revoke Manual Provisioning Task
Use Request Details to Approve Requests That Do Not Require Mandatory Information
Request for Application Instance Fails If Related Sandbox is Not Published
Apply and Revert Buttons Remain Disabled After Changing UDF value
Enable, Sequence, and Description for Lookup Values Not Supported
Entitlements Provisioned to Users Not Displayed After Upgrade
Running the pasteConfig Script Displays Incorrect Error Message
Error Logged While Exporting Metadata of oracle.security.apm Application
Catalog Synchronization Job Overrides Certifier/Approver/Fulfillment User
Certification Creation Fails With Incorrect SSL Configuration
Role Certification Creation Fails With Only Certify Policy Option Selected
In an Oracle Identity Manager deployment integrated with Oracle Access Manager (OAM), when you log in to Oracle Identity Self Service for the first time, you are redirected to reset the password and answer challenge questions. After successfully resetting the password and answering challenge questions, you are automatically logged in to the Oracle Identity Self Service without requiring to authenticate again. However, the login session ends in 120 seconds and you are redirected to the login page.
To workaround this issue, the cookieExpiryInterval configuration property of the ssoConfig tag in the oim-config.xml file must be set as -1.
Note:
The oim-config.xml file is stored in MDS. To edit this file, you can either use WebLogic export/import utilities, or use MBeans from the Enterprise Manager console.When LDAP synchronization is enabled in Oracle Identity Manager with iPlanet via Identity Virtualization Library (libOVD), the localized display names are not populated in mls_usr/mls_ugp for user/role create/update changelog reconciliation. Although the reconciliation event is created, but this is only for the localized display name replacing usr_display_name/ugp_display_name in USR/UGP tables. This is because Oracle Identity Manager is unaware of the backend directory server. It interacts only with OVD/libOVD and uses the data returned in the changelog entries by OVD/libOVD for reconciliation. It does not manipulate the data of the subtypes. iPlanet DS/ODSEE returns only the modified subtype and value to OVD.
To workaround this issue, make changes to all subtypes in the directory server and then try to reconcile into Oracle Identity Manager to ensure that all values exist in the changelog entry result sent by OVD so that Oracle Identity Manager gets the attribute with the values of all subtypes.
For example, if only one subtype, such as lang-ja, for the displayName attribute has to be modified in the LDAP and reconciled into Oracle Identity Manager, and if other subtypes, such as displayName, lang-zh-tw, and lang-fr, already exist in iPlanet/ODSEE, then create a sample ldif file, as shown in Example 10-1, and import it into iPlanet DS/ODSEE with the ldapmodify command. As a result, all the subtypes for the displayName attribute will have separate changelog IDs and will be reconciled into Oracle Identity Manager.
dn: cn=AJGroupTEST2,cn=Groups,dc=example,dc=com changetype: modify replace: displayName displayName: All Fusion Roles - All Data RolesTEST2 dn: cn=AJGroupTEST2,cn=Groups,dc=example,dc=com changetype: modify replace: displayName;lang-zh-tw displayName;lang-zh-tw: languser1RolesTEST21-Chinese dn: cn=AJGroupTEST2,cn=Groups,dc=example,dc=com changetype: modify replace: displayName;lang-fr displayName;lang-fr: languser1RolesTEST-French dn: cn=AJGroupTEST2,cn=Groups,dc=example,dc=com changetype: modify replace: displayName;lang-ja displayName;lang-ja: languser1RolesTEST-Japanese1
When the scheduled job for AD organization reconciliation is run, AD organizations are not created in Oracle Identity Manager.
To workaround this issue:
Create a reconciliation rule for the Xellerate Organization resource object by using the Design Console. To do so:
In the Design Console, open the Reconciliation Rules form.
In the Name field, enter AD Organization Recon Rule.
In the Object field, select Xellerate Organization.
In the Description field, enter AD Organization Recon Rule.
Save the reconciliation rule.
Click Add Rule Element. The Add Rule Element dialog box is displayed.
In the Rule Elements tab, select the following:
- For Organization Data, select Organization Name.- For operator, select Equals.- For attribute, select Organization.Organzation Name.- For transform, select none.
Click Save, and then close the dialog box.
In the Reconciliation Rules form, select Active.
Click Save.
Create a reconciliation profile for the Xellerate Organization resource object. To do so:
In the Resource Objects form, search and select Xellerate Organization.
In the Object Reconciliation tab, click Create Reconciliation Profile.
Run the AD Organization Recon scheduler to create AD organizations as OIM Organizations.
For request provisioning of the PSFT resource with conflicting entitlements, the SodCheckViolation field in the process form is not updated. The entitlement violation is mapped to the field with the SoDCheckEntitlementViolation label, while the PSFT resource has the field with the SoDCheckViolation label. Therefore, the mapping does not occur. Direct provisioning and provisioning through access policy successfully takes place with the SoDCheckViolation field label.
To workaround this issue for request provisioning, change the SoDCheckViolation field label to SoDCheckEntitlementViolation in the PSFT form by using the Design Console.
When you try to open the approval details page in the Pending Approvals section of Oracle Identity Self Service, a blank page is displayed.
To workaround this issue, use Oracle Enterprise Manager to edit the approval task of the required SOA composites to remove the SSL port for Oracle Identity Manager in the Administration tab.
To workaround this issue:
Login to Oracle Enterprise Manager by using WebLogic administrator username and password.
On the left hand side menu, click SOA. Click the + sign to expand soa-infra. Click the + sign to expand default.
Click the required SOA composites under default menu.
On the right hand side, click the Approval task under Component Metrics section.
Click the Administration tab.
Set the value of HTTPS port to 0.
Oracle Identity Manager allows modification of an account and requesting of its entitlement, although the account is in disabled state.
This is a known issue, and a workaround is currently not available.
When you open Oracle Identity Self Service by using Google Chrome 15.0.x web browser, the Refresh button on the toolbar is displayed as truncated in some pages.
To workaround this issue, upgrade Google Chrome 15.0.x to Google Chrome 18.0.1025.162 or higher version.
When you create an application instance for AD with appropriate details and request to provision the application instance as System Administrator, the resource is in provisioning state, and the following message is logged:
<Warning> <XELLERATE.SERVER> <BEA-000000> <No fields having ITResouce property found in form with sdk_key=11> <Warning> <XELLERATE.SERVER> <BEA-000000> <More than fields of type ITResourceLookupField found on form with sdk_key=11> <Warning> <XELLERATE.SERVER> <BEA-000000> <Cannot figure out the ITResource field uniquely>
To workaround this issue, add the ITResource=true property for AD Server process form field in the process form.
In Oracle Identity Manager User and Administrative Console, some pages related to attestation do not work when you use Mozilla Firefox or Google Chrome web browsers. These include pages for creating attestation processes and submitting attestation requests.
To workaround this problem, use Microsoft Internet Explorer web browser.
When you create a user and the corresponding LDAP container with dynamic rule does not exist, an error is generated. For example, the following containers have been created in the LDAP server:
cn=FusionUsers,cn=CAD,dc=us,dc=example,dc=com cn=FusionUsers,cn=USA,dc=us,dc=example,dc=com
If you create a user with country code China where the corresponding container does not exist in LDAP, then the following error is generated:
va:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused By: javax.naming.NameNotFoundException: [LDAP: error code 32 - LDAP
Error 32 : [LDAP: error code 32 - Parent entry not found in the directory.]];
remaining name 'cn=ktestoimuser10
ktestoimuser10,cn=FusionUsers,cn=China,dc=us,dc=example,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:788)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirCo
ntext.java:319)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCo
mpositeDirContext.java:248)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.ja
va:183)
at example.iam.platform.entitymgr.provider.ldap.LDAPUtil.createSubcont
To workaround this issue, create the missing container in LDAP server that matches the container specified in the LDAPContainerRules.xml file.
Custom scheduled jobs, which use APIs available in legacy versions of Oracle Identity Manager but is not available in the current release, fail at run time. For example, a custom scheduled job, which calls com.thortech.xl.client.mail.tcSendMail to send emails, fails with the java.lang.NoClassDefFoundError error message. This is because com.thortech.xl.client.mail.tcSendMail is available in Oracle Identity Manager release 9.x and earlier releases, but is not available in 11g releases.
To avoid this issue, use only APIs published with the current release instead of using individual unsupported APIs, such as tcAdapterUtilities or tcClient. In addition, you must migrate any custom code to use the new APIs if the old APIs have been deprecated. For information about APIs in Oracle Identity Manager 11g Release 2 (11.1.2.0), see Oracle Fusion Middleware Java API Reference for Oracle Identity Manager.
When you create a role, entitlement, or application instance with maximum possible values for name, display name, and description attributes, only the first 256 characters of the entity are displayed in the request catalog. For example, when you create a role with name=2000 characters, role display name=3000 characters, and description=1024 characters, and search for the role in the request catalog, the first 256 characters of the corresponding entry for the role is displayed. The user must search for the entity in the catalog by using the words present in the first 256 characters of the entity name, display name, or description.
This is a known issue, and a workaround is currently not available.
When the task assignee of Self registration request tries to approve the task from the pending approvals page, the task is approved but the request moves to Request Failed status.
For self registration requests, Organization is a mandatory attribute that must be provided by the approver before approving the task. If the task is approved from the pending approvals page, the task is completed but since approver has not updated the Organization for the user, the request fails. The following workaround is available for the approver:
Provide a value for the Organization attribute for the user in the task details page.
Update the user information by clicking Update in the task details page.
Approve the task from the task details page.
Oracle Identity Manager validates if mandatory attribute values are provided in the task details page and that all the changes to the page are saved before approving the task.
When performing access policy-based entitlement provisioning where the entitlement is already soft-deleted, the entitlement can still be provisioned to the user.
This a known issue, and a workaround is currently not available.
When a long running scheduled job is run for a considerable time and the job is interrupted by pressing the stop button, the job status changes to Interrupted and a message is displayed stating that the job is stopped.
However, depending on the implementation of stop check on the execute methods of the individual scheduled jobs, the processing is made to stop with due checking only after a specified time. If the checking is delayed, then there is a similar delay in the actual stopping of the job in the backend. Till the execute method of the job verifies that the job is stopped, the status of the job continues to show as Interrupted and not Stopped. After the result of the verification is returned, the job status changes to Stopped. Only after this change in status of the job, the next run of the job can be rescheduled.
When a request for multiple entities, such as application instance, roles, or entitlements, is created for a user who does not have the viewer admin role for the entities, no error is generated during request submission. However, the request fails after approval. This is because bulk request checks only the requester's permissions. The beneficiary permissions are used to determine the child requests to be created after request-level approval is done.
This is a known issue, and a workaround is currently not available.
When a heterogeneous request involving entitlements, whose primary accounts are not provisioned, is submitted, no error is generated. This is because the submission of bulk request goes through without any validations, until the request is approved.
This is a known issue, and a workaround is currently not available.
When you export an application instance, the Deployment Manager shows the IT Resource and Resource as dependent objects in the Select Dependencies window. In the final export window at the end of all the dependency selection, Deployment Manager shows IT Resource Defn in the Unselected Dependencies list. To avoid import failure, add the dependency for It Resource Def from the Unselected Dependencies list.
In an environment, in which the Administrators role has already been granted to the system administrator or any user before applying patch 14591093, this role grant is not reflected in LDAP after applying the patch. The patch takes care of new grants made to the users for the Administrators role.
To workaround this issue, perform any one of the following:
Retry the role grant with a newly created user or a user who does not have Administrators role granted through the Oracle Identity Manager User and Administrative Console.
Include the user's DN in the Administrators unique member in Oracle Directory Services Manager (ODSM). To do so:
Login to ODSM.
Find the 'cn=Administrators,cn=Groups,dc=us,dc=example,dc=com' role.
Add the uniquemember field.
Specify the DN of the user. For example, for the oim_admin user, the dn is 'cn=oim_admin,cn=Users,dc=us,dc=example,dc=com'.
Click Save/Apply.
Retry the role grant.
In the Create Application Instance page, when you search for a resource object by using Advance Search, if you click on the Reset button, then instead of resetting the values in the same page, the search is redirected to Basic Search. This is because the Reset button resets the QueryDescriptor object in Application Development Framework (ADF), which defines the Simple or Advanced display mode. For details about the QueryDescriptor object, refer to ADF documentation.
When exporting an application instance by using the Deployment Manager, IT resource definition is not displayed the dependency selection list. This is because the Deployment Manager shows only one level of dependencies in the Select Dependency page of the Export wizard. Other dependent objects are displayed in the Unselected Dependencies pane in the Export wizard before the export. To avoid missing dependencies at the time of import, select the dependency object from the Unselected Dependencies pane.
When you create a resource object by using the Design Console, create the provisioning process, parent and child forms with entitlement, change the lookup code with the correct ITResource key, populate the ent-list table, and then try to provision the entitlement, the following error is generated:
IAM-4060021 : An error occurred while validating whether entitlement with key 2151 is already provisioned to user with key 31 and the cause of error is oracle.iam.provisioning.exception.GenericProvisioningException: Entitlement attribute not marked as key in reconciliation field mapping for UD_TESTC.
This means that the key attribute in reconciliation field mapping is not defined for the child form attribute. Here, in the UD_TESTC child form, the value of the entitlement property is set to true in the UD_TESTC_LKP child form attribute, but reconciliation mapping is not defined.
To workaround this issue, define the reconciliation field mapping. See "Reconciliation Field Mappings Tab" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about reconciliation field mapping.
When you have a dependent lookup with a combo box and select a value in the parent combo box, the correct values in the dependent combo box are not displayed.
To workaround this issue, add the partialTriggers through WebCenter Composer to refresh the dependent choice. To do so:
Find the parent choice list component ID by downloading the JSFF file.
In WebCenter Composer, set the partialTriggers property of the dependent list with the parent choice list component id.
User is allowed to search for a request in the Track Requests page even though the user does not have permissions on the requester's organization. But filtering the records for the requester in the Track Requests page by using Query By Example (QBE) when the user does not have permissions on the requester's organization does not return any result.
This is a known issue, and a workaround is currently not available.
When you create a UDF of type checkbox in the User form, customize the Create User, Modify User, and User Details pages to add the UDF, and then create a user by selecting the checkbox, it is displayed as a Boolean field with values as true and false.
To workaround this issue, drop it on the User Details pages as a check box, and mark the field as read-only.
When creating a child table with a lookup field for entitlement, the following options must be selected to have the Entitlement=true property being set and the field type to be lookup field:
Searchable
Entitlement
Searchable Picklist
There is scope for error when you do not select the Searchable option in the Constraints section and/or the Searchable Picklist from the Advanced section. As a result, the field type of the form field will be a Combo box instead of a LookupField.
To workaround this issue, perform any one of the following:
If the Searchable option in the Constraints section is not selected, then open the form attribute again, and select the Searchable option to mark the attribute to be of searchable type. Then, create a new form for the application instance or select Regenerate View in the parent form view.
If the Searchable Picklist option in the Advanced section is not selected, then a Combo box type field is created. There is no way to edit the Searchable Picklist option. There are two ways to fix this. The first method is:
Open the Form Designer form in the Design Console, and open the child form.
Create a new version of the child form, and change the field type from ComboBox to LookupField. Then, activate the child form.
Create a new version of the parent form, associate the new version of the child form, and then activate the parent form.
Create a new form for the application instance or regenerate the view of the existing parent form.
Otherwise, create another form field attribute with the correct options selected. Then, customize the parent form page, and hide the form field with the incorrect attribute values.
When you have a dependent lookup with a pick list (a lookup with glass icon to search for the values) and select a value in the parent lookup, the correct values in the dependent combo box are not displayed. This is because Oracle Identity Manager does not support dependent lookup for the pick list component.
This is a known issue, and a workaround is currently not available.
In the Entitlements tab of the Application Instances page, the Refresh button is not working. Although entitlements are created, but clicking the Refresh button does not display the entitlements.
To workaround this issue, click the Organizations tab, and then click the Entitlements tab again. The entitlements will be displayed in the Entitlements tab.
In the Actions menu of the Pending Approvals page, the Create To-Do Task and Create Subtask menu options are available for approval tasks. These actions are performed by SOA, and therefore, no actions are performed in Oracle Identity Manager for these.
When you create a cascading lookup as a LOV or as a combo box, only 25 values are displayed in the lookup search irrespective of the number of values.
To workaround this issue:
Do not use cascading lookup as a combo box, and instruct users to narrow the searches.
Implement cascading lookups by using the Managed Bean approach, as described in "Implementing Custom Cascading LOVs" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
If catalog search contains special characters, the search fails with error that has IAM-7130125 and DRG code in the message, such as:
IAM-7130125 : Search token caused Oracle text DRG issue, DB exception is :ORA-20000: Oracle Text error: DRG-50943: query token too long on line 1 on column 40 20000 IAM-7130125 : Search token caused Oracle text DRG issue, DB exception is :ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error on line 1, column 5 20000
To avoid the issue, escape the special characters with the back slash character (\) in the search query string. For example, replace special characters (, ), and " with \(, \) and \" respectively.
Searching for lookup definitions with the asterisk character (*). For example, searching lookup definitions with * or (a*) do not return any result.
To workaround this issue, search the percentage character, % or (a%).
When you add a UDF to a form by using the Form Designer, if you mark the UDF as Searchable and Encrypted at the same time, then no error message is displayed although this combination in not valid.
This is a known issue, and a workaround is currently not available.
When a new UDF is added to the application instance form and the UDF is updated for already provisioned users, it is not displayed in the UI but is available in the database.
To workaround this issue, run the Form Version Control (FVC) utility by specifying the latest version after adding the UDF to the form.
User creation depends on default password policy. User creation fails if there is no default password policy. Therefore, default password policy must not be deleted.
To avoid failure of user creation because of default password policy removal, Oracle recommends the following:
Default password policy is the only one used for user creation and is not recommended to be deleted.
The default password policy constraints can be modified if the password is expected to meet different criteria.
If the default policy is deleted or a different password policy is required to be considered as the default password policy, which would be used for user creation, then the desired default policy must be associated with the TOP organization.
The following error message might be displayed intermittently:
too many objects match the primary key oracle.jbo.key[ua0902 ]. with npe
For example, when you try to reassign a task in Oracle Identity Self Service, this error message might be displayed intermittently.
Whenever this error message is displayed, log out of Oracle Identity Self Service and log in again.
If an application instance, which has forms attached to it, is to be used in the request catalog, then either the sandbox must be activated or published.
A benign unknownplatformexception error is displayed some times when logging in by using any client in Oracle Identity Manager, for example while logging in to the Design Console, although the logging is successful.
This does not result in any loss of functionality.
When you search for data controls from the catalog in the Data Components dialog box, the search is only performed for the data controls at the top level and not for the fields. An error is logged when you search for the fields in the Data Components dialog box for customization purpose, and the search does not return any result.
This is a known issue, and a workaround is currently not available.
When a provisioning task is assigned to a role and the role member is able to view the task, and when the role member tries to retry the provisioning task, the following error message is displayed:
Error JBO-29000: Unexpected exception caught: Thor.API.Exceptions.tcBulkException, msg=null Error Localized message not available. Error returned is: null
To workaround this issue, assign the provisioning task to the System Administrator role.
When a user opens the Provisioning Tasks page in Oracle Identity Self Service and clicks Search, multiple entries for the same provisioning task that is assigned to the user are displayed.
To workaround this issue, close the Open Tasks page and reopen it.
The following issues are encountered if you update a field in an existing form:
If you update the Organization Name existing field in the AD User form, save and close the form, regenerate view, and provision and provide the lookup value for the Organization Name in the Catalog, the following error message is displayed:
IAM-2050099 : The length of the attribute value Organization Name is greater than the maximum allowed length 40.
Even if you try to provision for single user and select the Organization Name, the same error is displayed.
To workaround this issue, create a new form for AD User and attach it to the application instance.
For child table, if you edit the existing lookup field, for example the GroupName field in AD User form, add Entitlement and Searchable option, and view the child form in the Design Console, one more field adds with entitlement = true, and the length of the field changes.
To workaround this issue, perform the changes from the Design Console when configuring resources for entitlement for the first time.
In the Pending Approvals page of Oracle Identity Self Service, the My Tasks, Initiated Tasks, and Administrative Tasks tabs are displayed. These tabs are generated by SOA. In Oracle Identity Manager, only the My Tasks tab is used.
When you add an application instance in the request catalog, enter some data in the parent form, remove the user, and then add another user, the data entered to the parent form is lost.
This is a known issue, and a workaround is currently not available.
If two users log in to Oracle Identity Self Service by using the same System Administrator login credentials, perform some operations on sandbox by using the same sandbox, and try to publish the sandbox, then the following error is displayed and the sandbox does not get published:
Publish Sandbox Failed oracle.mds.sandbox.RefreshFailedException: MDS-00001: exception in Metadata Services layer MDS-00165: metadata Object "/persdef/oracle/iam/ui/catalog/model/am/CatalogAM.xml" has changed MDS-00164: There is a concurrent "UPDATE" operation on the document "/persdef/oracle/iam/ui/catalog/model/am/mdssys/cust/site/site/CatalogAM.xml.x ml". MDS-00165: metadata Object "/persdef/oracle/iam/ui/catalog/model/am/CatalogAM.xml" has changed MDS-00164: There is a concurrent "CREATE" operation on the document "/persdef/oracle/iam/ui/catalog/model/am/mdssys/cust/site/site/CatalogAM.xml.x ml". MDS-00165: metadata Object "/persdef/oracle/iam/ui/catalog/model/am/CatalogAM.xml" has changed MDS-00164: There is a concurrent "UPDATE" operation on the document "/persdef/oracle/iam/ui/catalog/model/am/mdssys/cust/site/site/CatalogAM.xml.x ml". MDS-00165: metadata Object "/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" has changed MDS-00164: There is a concurrent "UPDATE" operation on the document
This is a known issue, and a workaround is currently not available.
Organization and role entities are imported and exported via the Deployment Manager without any related UDFs and UDF values. The related UDFs are imported and exported separately via the Deployment Manager because Role Metadata and Organization Metadata options are available under the drop-down list of exportable entities in the Deployment Manager.
Only default value of UDFs are imported and exported. The value assigned to UDFs at creation of Organization and Role entities are not import and exported.
When you add a resource object and run target resource reconciliation for bulk accounts using DBUM connector, the following SQL might report suboptimal performance:
Note:
The exact SQL structure may vary because of matching rule predicates in an environment.
This SQL may run with a suboptimal plan in few environments, but not in all the environments. All setups have their own uniqueness in terms of data volume, distribution, and selectivity.
INSERT
INTO RECON_ACCOUNT_MATCH
(
RE_KEY ,
ORC_KEY ,
SDK_KEY ,
RAM_ROWVER
)
(
SELECT re.re_key ,
ud_db_ora_u.orc_key ,
:"sys_b_0" ,
:"sys_b_1"
FROM UD_DB_ORA_U UD_DB_ORA_U ,
ra_oracledbuser725eedcb ra_oracledbuser725eedcb,
ost ost ,
oiu oiu ,
recon_events re
WHERE re.rb_key =:"SYS_B_2"
AND re.re_status = :"SYS_B_3"
AND re.re_key = ra_oracledbuser725eedcb.re_key
AND
(
ud_db_ora_u.ud_db_ora_u_itres=ra_oracledbuser725eedcb.ra_itresource15641f83
AND
ud_db_ora_u.ud_db_ora_u_username=ra_oracledbuser725eedcb.ra_username8825b9c0
)
AND oiu.orc_key = ud_db_ora_u.orc_key
AND ost.ost_key = OIU.ost_key
AND ost.ost_status <> :"SYS_B_4"
)
To workaround this issue, the suboptimal SQL can be tuned via locking a better SQL plan in the Oracle Database. This is achieved by using the SQL Profile feature of Oracle Database. This feature helps optimize database performance when the optimizer, in normal mode, does not pick up an execution plan that is tuned for performance. Therefore, SQL Profile can be used to lock a better SQL plan for the SQL in the database environment (by using the SQL Tuning Advisor and subsequent usage of SQL Profiles).
Although a connector has more than one child table, only one child table can be used in requests.
To workaround this issue, use entitlement requests.
Rule creation for group membership does not work if it matches more than 10000 users during the rule creation.
This is a known issue, and a workaround is currently not available.
In the request catalog, search keywords that include all the commonly used special characters, such as #, $, and -, in requestable entities work correctly and return desired results. However, search keywords with few special characters, such as double quote ("), colon (:), or brackets do not return the desired results.
To achieve the result set with these special characters, it is recommended to escape these characters with backslash (\). For example, specify \:\" or \( in the search criteria to escape the :, ", and ( special characters.
Active-Active session fail over does not work properly with Oracle Identity Manager. These issues are mostly displayed in Oracle Identity System Administration.
This is a known issue, and a workaround is currently not available.
If there are any changes to the application instances form, such as adding new fields, adding new children forms, or adding fields to children forms, then the form versions of all existing users must be updated to the latest version by using the Form Version Control Utility. This utility is available in the design console directory. Update the properties file as follows, and execute the utility:
Resource Object Name: roname
Process Form Name: UD_PFORM
From Version: <fromversion>
To Version: <toversion>
Oracle Identity Manager does not remove the last entitlement during a modify account request.
To workaround this issue, remove the existing entitlement by using a revoke entitlement request instead of a modify account request.
An entitlement request for a disconnected resource does not initiate the manual fulfillment task but marks the request as completed.
To workaround this issue, using the Design Console, open the corresponding provisioning process for the disconnected application and add a manual provisioning task for entitlement provisioning so that this manual task gets initiated after the approval is complete.
The form associated to a disconnected application instance is displayed even when the request type is disable, enable, or revoke. There is no functionality loss in displaying the form during the disable, enable, or revoke requests. Ignore the form field display and submit the request.
Request tracking might display duplicate rows for the same request when searching by beneficiary. Ignore the duplicate rows.
Only the requestor and approver of a request and the System Administrator are allowed to track the approval status. Help Desk user and beneficiaries of the request cannot view the approval status.
This is a known issue, and a workaround is currently not available.
Request tracking for help desk role mandates to specify the beneficiary of the request, even when searching by request ID.
To workaround this issue, issue a full search of the request without specifying any search filters.
For requests that require mandatory additional information to be provided, such as Organization, when approving a self-registration request, do not act upon the request directly from the Pending task list. Open the request, provide the required information in the Request Details page, and then approve the request. This is a SOA tasklist limitation.
Oracle Identity manager does not persist the Justification entered during a request process, and therefore, this data will not be available for reporting.
Due to ADF caching, some of the pages do not refresh properly on clicking the Refresh button.
To workaround this, close the tab and re-open it.
Although Oracle Identity Manager handles all validations, some of the error messages are not detailed enough. Benign exceptions and error messages might be displayed in the server logs during server startup, which can be ignored as long as the system is up and running.
Currently, the system is not compliant completely with Accessibility guidelines and the Accessibility link provided does not function.
Password policy attached to a resource does not get enforced properly during request to a connected resource. However, when you try to change the password of a provisioned resource from the My Information page, the policy is enforced.
The existing Request Summary Report does not work in Oracle Identity Manager 11g Release 2 (11.1.2) because of request model changes.
This is a known issue, and a workaround in currently not available.
Form designer failure in the backend is not displayed in the UI. If the change you are expecting is not successful, then abandon the sandbox. Oracle recommends creating and using short-lived sandboxes (for example separate sandbox with a detailed description for UI customization, form creation, and UDF addition) so that conflicts can be avoided.
If the sandbox, in which an application instance is created, is not published, then the request for that application instance will fail during request checkout process. Best practice is to create a sandbox for an application instance and immediately publish it.
Only System Administrators or System Configurators can create forms and attach it to application instances.
Delete reconciliation does not work with libOVD and ODSEE combination.
This is a known issue, and a workaround is currently not available.
Although an entitlement is not published to an organization, an access policy can still provision the entitlement to the user of that organization. This is because access policies are not aware of the publishing and scoping security model of Oracle Identity Manager.
This is a known issue, and a workaround is currently not available.
Oracle Identity Manager does not support user defined fields (UDFs) in this release.
Oracle Identity Manager does not support a UDF of type Lookup to be created for the My Information page.
After you change the value of a user defined field (UDF) and move out of the field, the Apply and Revert buttons remain disabled. Note that if you change the value of a predefined field, then these buttons are enabled as expected.
To workaround this issue:
Create a sandbox and activate it. Open the page that contains the UDF, and click Customize.
Select View, Source.
Note the value of the valueChangeListener property of a predefined field. To do so:
Click the predefined field, and then click Edit to open the Component Properties dialog box.
Copy the value of the valueChangeListener property.
Export the sandbox as a ZIP file.
Extract the ZIP file and edit the jsff.xml file for the specific screen.
Add the following attributes to the ADF tag, for example af:inputText, for the UDF:
valueChangeListener=VALUE_COPIED_IN_STEP3
autoSubmit="true"
Create the ZIP file for the sandbox.
Import the sandbox.
Publish the sandbox.
When running reconciliation, matching rule transformation fails with the following error message if all the fields that are part of the matching rule are not provided as input while invoking the ignoreEvent API:
<BEA-000000> <Generic Information: {0}
oracle.iam.reconciliation.exception.DBAccessException: Failed SQL:: select
USR_KEY from usr where USR_FIRST_NAME=? and USR_LAST_NAME=? and USR_LOGIN=?
and USR_TYPE is null and USR_EMAIL is null and USR_MIDDLE_NAME is null and
USR.USR_STATUS != 'Deleted' AND ((UPPER(USR.USR_LOGIN)=UPPER(?)) OR
(UPPER(USR.USR_UDF_OBGUID)=UPPER(RA_EZCUSERTRUSTED49EC4A54.RA_OBJECTGUID)))
=>PARAMS:: [John, Doe, J.DOE, J.DOE]
Caused By: java.sql.SQLSyntaxErrorException: ORA-00904:
"RA_EZCUSERTRUSTED49EC4A54"."RA_OBJECTGUID": invalid identifier
This is a benign error, and there is no functional loss because of this. The event is not ignored. It is created and processed normally without causing any data corruption.
When you perform customization on the User Type attribute in the My Information page, for example display the User Type attribute as read-only, then the value in the User Type attribute does not populate.
Here, the attribute name is User Type in the My Information page, but from customization VO, you must select role to populate the correct values in the User Type attribute. Therefore, to workaround this issue:
In customization mode, select the Panel Form Layout Component.
Open the Resource Catalog.
Select Data Component, My Information, UserVO1, and then select role.
Drop the field with Output Text with a label.
Approval page customization is not supported in this release. Therefore, functionalities, such as requester-only and approver-only, cannot be achieved.
The Enable, Sequence, and Description attributes are not supported for lookup values. Therefore, do not include a value in the Description field for searching lookups. Also, the Enabled, Sequence, and Description columns are displayed without any values.
When you try to add a radio button to a form, for example organization form, a forward-only range paging error is generated. This is because adding a radio button through drop handlers is not supported. However, radio buttons can be added to forms through view layer customization with custom code.
Clicking the Roles tab in the My Access section or the Users section of the Oracle Identity Self Service generates an error when the logged-in user has indirect role relationship.
When you create a UDF in an active sandbox, the UDF is not listed in the customization view (catalog of the Data Component).
To avoid this issue, create the UDF, and then create the sandbox and activate it. Newly created UDFs are displayed in customization view in the sandboxes created after the UDF creation.
Attributes cannot be marked as required or mandatory from the Form Designer. However, mandatory attributes can be specified by customizing the page by using Oracle Web Center.
When you setup cascading LOVs, the values in the dependent LOV are not displayed based on the selection of the parent LOV.
To workaround this issue:
Set up the cascading LOV by using two UDFs.
Add both the Select One Choice components.
Setup the partial rendering of the component.
Oracle Identity Manager does not support number type lookup code in this release.
When you try to customize the self registration page of Oracle Identity Manager by selecting View, Source, validation error messages are displayed stating that input for the form fields are missing.
To avoid this issue, provide values for the input fields in the self registration page. The complete steps to customize the self registration page are the following:
Login to Oracle Identity Self Service.
Activate a sandbox.
Click Customize.
Navigate to the Oracle Identity Manager login page, and click New User Registration. Alternatively, navigate to /identity/faces/register directly.
Enter values for the required input fields.
Select View, Source.
Customize the page.
When you access Help Topics for Oracle Identity Manager from Oracle Identity Self Service and Oracle Identity System Administration, some links do not work. The following are the navigation paths where the links are not active:
From Oracle Identity System Administration:
Help link from Identity System Administration, Using Oracle Identity System Administration, Lookups
Help link from Identity System Administration, Using Oracle Identity Self Service, Approval Details, Request for Information
From Oracle Identity Self Service:
Help link from Identity Self Service, Using Oracle Identity Self Service, Approval Details, Request for Information
Help link from Identity Self Service, Using Oracle Identity Self Service, Manage Sandboxes
Help link from Identity Self Service, Using Oracle Identity Self Service, Customize Oracle Identity Self Service
Help link from Identity Self Service, Using Oracle Identity System Administration, Manage Reconciliation Events
Help link from Identity Self Service, Using Oracle Identity System Administration - Manage Policies:
- Create Access Policies
- Manage Access Policies
- Create Attestation Configuration
Help link from Identity Self Service, Using Oracle Identity System Administration, Approval Policies
Help link from Identity Self Service, Using Oracle Identity System Administration, Manage Attestation Configuration
Help link from Identity Self Service, Using Oracle Identity System Administration , Password Policy
Help link from Identity Self Service, Using Oracle Identity System Administration , Perform Configuration Tasks: Create IT Resource
- Manage IT Resource
- Create Generic Connector
- Manage Generic Connector
Help link from Identity Self Service, Using Oracle Identity System Administration , Form Designer
Help link from Identity Self Service, Using Oracle Identity System Administration , Application Instances:
- Search Application Instances
- Create Application Instances
- Delete Application Instances
Help link from Identity Self Service, Using Oracle Identity System Administration , Modify Application Instances, The How links
Help link from Identity Self Service, Using Oracle Identity System Administration , Lookups
Help link from Identity Self Service, Using Oracle Identity System Administration , Perform System Management Tasks:
- Import
- Export
Help link from Identity Self Service, Using Oracle Identity System Administration , Scheduler
Help link from Identity Self Service, Using Oracle Identity System Administration , Notification
Help link from Identity Self Service, Using Oracle Identity System Administration , System Management
Help link from Identity Self Service, Using Oracle Identity System Administration , Manage Connector
Help link from Identity Self Service, Using Oracle Identity System Administration , Manage Sandboxes
View the Help topics from the relevant section of the interface. For example, to view the Help topic for System Management or Sandboxes, navigate to the Help topics from Identity System Administration. For any topic that is not displayed, refer to Oracle Fusion Middleware Identity Management 11g Release 2 (11.1.2) Documentation Library.
Entitlements and accounts can be granted via access policies. When entitlements and accounts are granted via access policies, organization scoping does not apply, and therefore, the entitlements and accounts that are not published to the target user's organization are also provisioned.
For task approvals, Oracle Identity Manager does not support digital signatures based on certificates. However, Oracle Identity Manager supports password-based digital signatures. See "How to Specify a Workflow Digital Signature Policy" in the Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.
In an upgraded deployment of Oracle Identity Manager 11g Release 2 (11.1.2), the entitlements provisioned to the users before the upgrade are not displayed in the Entitlements tab.
To display the entitlements in the Entitlements tab after the upgrade, login to Oracle Identity System Administration, and run the Entitlement Assignments scheduled job.
By default, labels in query panels are not customizable. For example, the Beneficiary label in the Track Requests search page cannot be customized, but the column names in the Track Requests search results table can be changed.
If a notification template has been attached to a corresponding provisioning task, then while provisioning an account for OIM user, a notification message is not sent and a NullPointerException error message is logged if only UMS notification provider is configured. Notification templates are not supported in Oracle Identity Manager 11g Release 2 (11.1.2).
When the requester tries to create a subtask by selecting Create Subtask from the Actions menu in the Inbox, NullPointerException is generated. Creating subtasks is not supported for certification tasks.
While running the pasteConfig script in the target host, if the jdk location specified does not exist, then an incorrect error message is displayed, as shown:
The JDK wasn't found in directory /scratch/aime1/jrockit-jdk1.6.0_37-R28.2.5-4.1.0. Please edit the startWebLogic.sh script so that the JAVA_HOME variable points to the location of your JDK.
You can ignore this error message because it does not result in any loss of functionality.
Note:
If the source Middleware home uses a JDK that is external to the Middleware home, then the pasteBinary operation must also use an external JDK. The JDK provided to run FMW T2P utility must be accessible to the source as well as target.The following error is logged on running the FMW T2P copyConfig utility in the source computer:
Exporting metadata of application - oracle.security.apm . Metadata transfer operation started Exporting metadata from repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metadata tranfer operation failed . Cause: main.WLSTException : MDS-00503: The metadata path "../mds" does not contain any valid directories.MDS-91009: Operation "exportMetadata" failure. Use dumpStack() to view the full stacktrace. . Unable to export Application data from Oracle Metadata Repository. The Application "oracle.security.apm" may not have any data in Oracle Metadata Repository or it may not be in "ACTIVE" state.
This is a benign error and can be ignored because it does not cause any loss of functionality in Oracle Identity Manager.
The following error is logged on running the FMW T2P copyConfig utility in the source computer:
Exporting metadata of application - oim . . Cause: main.WLSTException : MDSAppRuntimeMBean is not available for oracle.mds.lcm:name=MDSAppRuntime,type=MDSAppRuntime,Application=oim,Location=oim_server1,*MDS-91009: Operation "exportMetadata" failure. Use dumpStack() to view the full stacktrace. . . Unable to export Application data from Oracle Metadata Repository. The Application "oim" may not have any data in Oracle Metadata Repository or it may not be in "ACTIVE" state.
This is a benign error and can be ignored because it does not cause any loss of functionality in Oracle Identity Manager.
Errors related to the ApplicationDB data source connection pool might be logged. This data source is used internally by ADF for reading MDS artifacts for Oracle Identity Self Service. These errors cause no functional loss. Frequency of these exceptions can be reduced by tuning the Data Source Inactive Connection Timeout property and JVM parameters, such as jbo.ampool.timetolive and jbo.ampool.maxinactiveage.
The following exception might be logged:
<Warning> <JDBC> <BEA-001153> <Forcibly releasing inactive/harvested connection weblogic.jdbc.wrapper.PoolConnection_oracle_jdbc_driver_T4CConnection back into the data source connection pool "ApplicationDB"
Immediately followed by:
java.sql.SQLException: Connection has already been closed.
After applying patch 16385074 for SOA 11.1.1.6.0, clicking the worklist views in the Inbox do not refresh the results in the view tables. This is because the application cache contains the old copy of the JSP files changed in the patch.
Therefore, to workaround this issue, clear the contents of the following directory:
OIM_DOMAIN_HOME/servers/OIM_SERVER/tmp/_WL_user/
When you install an Active Directory Release 9.x connector and run the reconciliation archival utility, then uninstall AD 9x connector and install AD 11g connector, and try to run reconciliation archival utility, errors are generated and the utility does not run. The following is a sample error message:
ERROR ==> Error/warning occurred while executing ./oim_create_recon_arch_tables.sql For Details check log file ./logs/oim_create_recon_arch_tables.log Exiting Utility
The errors are generated because old Reconciliation Archival tables related to the uninstalled connector still exist in the database. Therefore, to avoid this issue, after uninstalling a connector, drop the RA tables related to the connector.
When you act on a task from the details page, the tab closes automatically, but after a delay of few seconds. This is a known issue, and there is no workaround for this.
Oracle Identity Manager does not support filters or Query by Example (QBE) on some columns in the search result table. Examples of such columns are Date Added and Hierarchy Aware.
Disconnected resource child table insert/delete trigger tasks are not autocreated when the child table with an Entitlement field is created by using the Design Console.
During UI customization, when you try to add a field to a page for the first time, the field might not be displayed on the page. The field is displayed on the page when you retry to add the field by clicking the Add action.
The auto-unlock feature between Oracle Identity Manager and Oracle Access Manager (OAM) does not work. User is not unlocked on running the Automatically Unlock User scheduled task.
Working of the auto-unlock feature between Oracle Identity Manager and OAM is dependent on the fixes of the following bugs on top of Oracle Virtual Directory 11g Release 1 (11.1.1) Patch Set 5:
Bug# 13503440: OVD: REDUCE TRANSACTION SEND TO BACKEND WHEN USING USERMANAGEMENT PLUGIN
Bug# 14464394: NEW MAPPING FOR ORCLUSERLOCKEDON FOR CHANGELOG AND USERMANAGEMENT PLUGIN
In an Oracle Identity Manager deployment on Microsoft Windows with OUD as the LDAP server, self registration request fails. Successful self registration request is dependent of the fix of the following libOVD bug:
Bug# 16523164: OIM/LIBOVD SHOULD REQUEST 'MODIFIERSNAME' WHEN SEARCHING IN CN=CHANGELOG
For role processing, run the Catalog Synchronization scheduled job one time in Full mode, and run it in Incremental mode from the next time onward. If the job is run again in Full mode, it overrides the current values for certifier, approver, and fulfillment user, and sets them to Role Owner.
If SSL is not configured correctly, then certification creation might fail and the following error is displayed in the scheduler page for certification creation:
org.springframework.transaction.TransactionSystemException: JTA failure on commit;
nested exception is javax.transaction.SystemException: Could not contact coordinator at
soa_server1+[2606:b400:2010:4049:216:3eff:fe52:65ba]:8002+RRC4SN130321+t3s+
at
org.springframework.transaction.jta.JtaTransactionManager.doCommit(JtaTransactionManager.java:1044)
at
To avoid this issue, SOA clear port must be opened when starting Oracle Identity Manager. If Oracle Identity Manager has been started with the clear SOA port closed, then re-open it and restart SOA and Oracle Identity Manager.
After the servers are started with clear port open, you can close the clear port. It is only required to be opened for starting the servers.
Role certification for only policies does not create certifications. While creating a role certification with content selected to certify only policies, the scheduler jobs fail with the following error:
java.lang.Exception: Role certification creation succeeded but with the following errors: {0}. Role certification creation failed with the following error: null.
While adding a custom attribute by using the Form Designer, the Add Content dialog box incorrectly displays two labels for the same custom attribute. For example, for the custom attribte Att1, labels Att1 and Att1_C are displayed. The correct label is Att1. If Att1_C is added, then it corrupts the sandbox, and the following error is generated:
JBO-25058: Definition Att1__c of type Attribute is not found in UserEO.
If the corrupted sandbox is published, then the customized screen is corrupted and does not open for any user. The only solution then is to rollback the sandbox. For information about rolling back the sandbox, search and see the technote "OIM 11gR2: How to Roll back A Published Sandbox" (ID 1496179.1) by navigating to the following URL:
During pasteConfig operation, if the specified target OPSS datasource URL is different than the source OPSS datasource URL, then clone log will have some sql errors. However, the pasteConfig operation completes successfully. This error can be ignored.
Error in logs:
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used. INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used. [EL Severe]: --ServerSession(515759393)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: java.sql.SQLException: ORA-01017: invalid username/password; logon denied Error Code: 1017 oracle.security.jps.internal.credstore.ldap.LdapCredentialStore <init> WARNING: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreException: javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: java.sql.SQLException: ORA-01017: invalid username/password; logon denied Error Code: 1017 opss-DBDS:oracle.jdbc.OracleDriver:t2pp_ OPSS:jdbc:oracle:thin:@example.com:1521/orcl.example.com
This section describes configuration issues and their workarounds. It includes the following topics:
Deep Linking of Identity URL in SOA Email Notification Does Not Work
Use Absolute Paths While Running configureSecurityStore.py With -m Join
Email Not Readable When Oracle Identity Manager Configured in SSL Mode
When you embed an identity URL in SOA email notification, it does not work. To avoid this issue, apply the following SOA patch after installing SOA:
#15211191 - EMAIL NOTIFICATION DOESN'T EMBED URL PROPERLY IF IT CONTAINS /IDENTITY
A connection error stating Argument(s) "type" can't be null is displayed intermittently when Oracle Identity Analytics (OIA) is configured for SoD Check, and an SoD Check is initiated. The error is as shown:
Caused By: oracle.iam.grc.sod.exception.SILServiceComponentException: oracle.iam.grc.sod.scomp.impl.oia.analysis.SoDAnalysisExecutionOperOIA : initializeUnable to connect to OIA Server : Argument(s) "type" can't be null.
This is a benign error and causes no functional loss.
The Config Security Store fails to create the policy store object when using variables, such as ORACLE_HOME and MW_HOME, while running wlst.sh using configureSecurityStore.py with -m join. Always use absolute paths for ORACLE_HOME and MW_HOME while running the command for -m join.
When OAM integration is enabled in Oracle Identity Manager that is configured with libOVD/OID, ODSEE, OUD, or AD, Oracle Identity Manager reset user password fails, and the Attribute orclpwdexpirationdate is not supported in schema error message is generated.
To workaround this issue, change the backend IDStore schema. To do so:
Create new attributetypes: ( 2.16.840.1.113894.200.1.7 NAME 'orclPwdExpirationDate' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE USAGE userApplications ).
Modify the orclIDXPerson objectclass to include orclPwdExpirationDate as an optional attribute.
If SSL is enabled on the Design Console, then login to the Design Console might fail with the following 'Invalid Login' error:
Error Keyword: DAE.LOGON_DENIED
Description: Invalid Login.
Remedy: Contact your system administrator.
Action: E
Severity: H
Help URL:
Detail:
javax.security.auth.login.LoginException: java.lang.NoClassDefFoundError:
com/rsa/jsafe/JSAFE_InvalidUseException
at
weblogic.security.SSL.SSLClientInfo.getSSLSocketFactory(SSLClientInfo.java:101
)
at
weblogic.socket.ChannelSSLSocketFactory.getSocketFactory(ChannelSSLSocketFactory.java:185)
To workaround this issue, copy the MIDDLEWARE_HOME/modules/cryptoj.jar file to $OIM_HOME/designconsole/ext/ directory and login again.
When Oracle Identity Manager is configured in SSL mode, the body of the email sent for approval task assignment from SOA is not readable. The following is displayed in the email body content:
Error 500--Internal Server Error From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1: 10.5.1 500 Internal Server Error The server encountered an unexpected condition which prevented it from fulfilling the request.
If SOA, Oracle Identity Manager, and WebLogic Servers are enabled to listen on SSL port, then requests might fail.
To workaround this issue, enable both the SSL and non-SSL listen ports for SOA, Oracle Identity Manager, and WebLogic Servers by using the WebLogic Administrative Console.
In an integrated environment of Oracle Access Manager, Oracle Identity Manager, and libOVD, for the Oracle Identity Manager create user event, the oblockedon attribute is not populated with the current date and time when orclAccountlocked=true. The attribute is populated with 0 value when orclAccountLocked=false.
To workaround this issue, apply the patch for the following OVD bug:
Bug# 16482350: OIM-OAM-LIBOVD:OUD: IAM-205024 FOR CREATING OIM USER
This section describes multi-language issues and limitations. It includes the following topics:
UI Components are Displayed in English on non-English Web Browsers
Date Format in Search Criteria Displayed in MM/dd/yyyy hh:mm:ss Format on non-English Locale
BI Publisher 11g Reports Displayed in English Although Translation Files Are Available
Date Format in BI Publisher Report Not Displayed Per Report Locale Setting
Catalog Search With Special Non-ASCII Characters Do Not Work Correctly
Localized String for Cart is Truncated in the Catalog Search Results Page
Request Type and Status Search Options Displayed in Server Locale
Challenge Questions and Password Policy Messages Displayed in Server Locale
Values for Organization Type and Status Displayed in English
Task Stage Name and Task Assignee Label Displayed in English
On the Lookups or Form Details pages in Oracle Identity System Administration, most UI components are displayed in English on non-English web browsers.
This is known issue, and a workaround is currently not available.
On Oracle BI Publisher Enterprise, while running Oracle Identity Manager 11g Release 2 (11.1.2) reports, the date fields on the search criteria panel are always displayed in the MM/dd/yyyy hh:mm:ss format on non-English locale. This is irrespective of the report locale or UI language selected for the current logged-in BI Publisher user. This is because the date format cannot be globalized because it is designed in the report data model and uses Java-provided date format pattern letters.
Oracle Identity Manager 11g Release 2(11.1.2) supports BI Publisher 11g for Oracle Identity Manager reports. The translations for these Oracle Identity Manager reports must be manually imported. Oracle Identity Manager has centralized translations, each locale has a XLIFF (.xlf) file for all the Oracle Identity Manager reports.
By default, all BI Publisher 11g reports are displayed in English. Import the translations files to BI Publisher.
To import a XLIFF file:
In Oracle BI Publisher Enterprise, select the Oracle Identity Manager folder in the catalog.
Click the Translation toolbar button, and then select Import XLIFF.
Click Browse to locate the translated file, and then select the appropriate locale from the list.
Click Upload.
First, upload all the transaction files in the catalog for each report. Select the report, and then change the report locale and UI language locale to run the report in different locale.
The date format in the content and footer of the BI Publisher report is not displayed according to the value specified in Report Locale setting for the logged-in user.
This is a known issue, and a workaround is currently not available.
In the Create User and Modify pages, values of the following attributes are displayed in English irrespective of the browser language setting:
User Type, in the Basic Information section
Locale, in the Preferences section
This is a known issue, and a workaround is currently not available.
If catalog items, such as roles, application instances, and entitlements, contain special non-ASCII characters, such as some German, Greek, or Turkish characters, then the search pattern with these characters do not return correct results.
This is a known issue, and a workaround is currently not available.
BI Publisher 11.1.1.6.0 and 11.1.1.7.0 cannot handle the string colon(:). Therefore, Polish translation of BI Publisher files do not work correctly.
This is a known issue, and a workaround is currently not available.
In the Catalog Search Results page, the localized string for Cart on the top right of the page is displayed as truncated text.
This is a known issue, and a workaround is currently not available.
The values in the Request Type and Status lists in the search panel of the Track Requests tab are intermittently displayed in server locale instead of browser locale when Oracle Identity Manager is started or restarted.
To workaround this issue, close the Track Requests tab and reopen it.
Some fields with drop-down list are displayed in English instead of the browser language setting. For example:
The following option values of the SortBy list on the Catalog Search page:
Type
Display Name
The following option values of the Risk Level list on the Detailed Information panel of the Catalog search result page:
High Risk
Medium Risk
Low Risk
The following Task Status option values in the Search panel, and values under Task Status column of Search Results table on the Provisioning Tasks page:
Pending
Rejected
Values in the Type list on the Form Designer page.
This is a known issue, and a workaround is currently not available.
After restarting Oracle Identity Manager and navigating to the self registration or Forgot Password pages when no user is logged in, the Challenge Questions and Password Policy messages are intermittently displayed in server locale instead of browser locale.
To workaround this issue, login to Oracle Identity Self Service by using any available user login credentials after Oracle Identity Manager is started or restarted.
The values in the Organization Type or Status lists in some pages are displayed in English although the browser is set with a non-English locale. For example:
The values in the Organization Type or Status lists in the Admin Roles tab of the My Access page in Oracle Identity Self Service.
The values in the Organization Type or Status lists for any selected admin role in the Admin Roles tab of User Details page in Oracle Identity Self Service.
The values in the Organization Type or Status lists in the Organizations tab of Role Details page in Oracle Identity Self Service.
The values in the Organization Type or Status lists for any selected suborganization in the Children tab of Organization Details page in Oracle Identity Self Service.
The values in the Organization Type or Status lists in the Search Parent Organization dialog box when creating new organization in Oracle Identity Self Service.
The Type column of the Organizations tab of the Application Instances page in Oracle Identity System Administration.
This is a known issue, and a workaround is currently not available.
Multi-Language Support (MLS) and Multi-Representation (MR) support are not available for Role Display Name and User Display Name in Oracle Identity Self Service.
The values of the Request Status and Request Type fields are displayed in English instead of browser language in the Request Details page and the Pending Request portlet of the Home page.
This is a known issue, and a workaround is not available.
If user login name contains a special character, such as German Esszet character or Turkish dotted I character, then the following error message is displayed on clicking Inbox on the left navigation pane in Oracle Identity Self Service:
An internal error has occurred. Please contact the administrator or Oracle support for help
When you open the request details in the Track Requests page and navigate to the History Panel in the Approval Details tab, the task stage name and task assignee label are displayed in English instead of the translated language.
If a request assignee has no manager, then escalating this request displays a warning message. The warning message is displayed in server locale instead of browser locale.
The following predefined view names in the Inbox are hard coded in English and cannot be translated:
Pending Approvals
Pending Certifications
Manual Provisioning
From the Home page or Inbox in Oracle Identity Self Service, when you open a task, the task detail is displayed in server locale instead of browser locale.
To workaround this issue:
Navigate to the Inbox in Oracle Identity Self Service.
Click the Edit User Preferences icon on the Worklist Views section toolbar. The Edit User Preferences dialog box is displayed.
For Use language settings of, select the Browser option.
Click OK.
Currently, there are no documentation issues to note.