2 Installation and Configuration Issues for Oracle Identity and Access Management

This chapter describes issues associated with the installation and configuration process of Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0). It includes the following sections:

2.1 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

2.1.1 Simple Security Mode Does Not Work on AIX

On AIX, the Simple security mode does not work with Oracle Access Management Server 11.1.2.

Workaround: Use either the Open or Cert security mode.

2.1.2 Error Displayed in the Oracle Access Management Managed Server Logs

When you try to edit the policy in the Oracle Access Management administration console log, the following error is displayed in the Oracle Access Management managed server logs:

<oracle.jps.policymgmt> <JPS-10606> <Failed to distribute policy to PDP OracleIDM for catch exception oracle.security.jps.service.policystore.PolicyStoreException: JPS-04028: Application with name "cn=OAM11gApplication,cn=jpsXmlFarm,cn=JPSContext,cn=jpsXmlRoot" does not exist..>

This exception is displayed every ten minutes even when the server is idle.

Workaround:

  1. Remove the following properties from the jps-config.xml file after the installation with -C option from pdp.service instance properties.

    <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/>               <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/>

  2. Add the following new property to pdp.service instance properties:

    <property name="oracle.security.jps.pd.client.PollingTimerInterval" value="10"/>

    The value is in seconds, set the appropriate value as required by Oracle Access Management. The changes must be made only for Oracle Identity Management installs like Oracle Identity Manager or Oracle Access Manager.

    The following is an example of a pdp.service instance in the jps-config.xml file after running the configSecurityStore command.

    <serviceInstance name="pdp.service" provider="pdp.service.provider">             <description>Runtime PDP service instance</description>             <property name="oracle.security.jps.runtime.pd.client.policyDistributionMode" value="mixed"/>             <property name="oracle.security.jps.runtime.instance.name" value="OracleIDM"/>             <property name="oracle.security.jps.runtime.pd.client.sm_name" value="OracleIDM"/>             <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/>             <property name="oracle.security.jps.policystore.refresh.enable" value="true"/>             <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/>         </serviceInstance>

2.1.3 Mandatory Patches for Enabling SSL on Oracle HTTP Server

This section describes the mandatory patches to be downloaded and installed for enabling SSL on Oracle HTTP Server.

Platform Patch
Solaris (64 bit) 14264658
Microsoft Windows x64 (64 bit) 14264658
Solaris x86-64 (64 bit) 14264658
IBM AIX (64 bit) 14264658
Linux x86-64 14264658

To download the patches, do the following:

  1. Log in to My Oracle Support.

  2. Click Patches & Updates.

  3. Select Patch name or Number.

  4. Enter the patch number.

  5. Click Search.

  6. Download and install the patch.

2.1.4 Optional: Setting log levels to SEVERE for WebLogic Servers in Identity and Access Management Domain

To change log levels to SEVERE, do the following:

  1. Logging.xml must have level=SEVERE for all log handlers and loggers (OAM_Server1, OIM_Server1, SOA).

  2. Log in to Admin Console http://Hostname:port/console.

  3. Click Lock and Edit to unlock the domain.)

  4. Click Servers link.

  5. Click on the server you want to make changes to.

  6. Click Logging.

  7. Click Advanced.

  8. Do the following to change the log levels in Message destination(s):

    Message destinations Severity Level Desired Default Setting
    Log File warning Trace
    Standard out error Notice
    Domain log broadcaster error Notice
    Memory Buffer Severity error Blank

  9. Click Save.

  10. Click Activate Changes

  11. Restart Servers

Repeat the process for all desired servers (OAM_Server1, OIM_Server1, SOA).

2.1.5 Modifying the Server Side Property for Oracle Identity Manager

The scheduler.disabled system property is required if you want to control scheduler start or stop on a clustered setup.The scheduler.disabled system property must be set to true if you don't want to start scheduler service on that node of cluster and vice-versa.

Following are the steps to modify the scheduler.disabled system property using Weblogic console: 

  1. Log in to the Oracle WebLogic Administration Console using the WebLogic administrator credentials.

  2. Under Domain Structure, click Environment > Servers. The Summary of Servers page is displayed.

  3. Click on the Oracle Identity Manager server name (for example, oim_server1). The Settings for oim_server1 is displayed.

  4. Click Configuration > Server Start.

  5. In the Arguments text box, change the existing property scheduler.disabled = false/true.

  6. Click Save.

  7. Click Activate Changes.

  8. Restart the Oracle Identity Manager Managed Server.

    Note:

    After you modify the scheduler.disabled system property, you must start the Managed Server using the Node Manager.

2.2 Installation Issues and Workarounds

This section describes installation issues and workarounds. It includes the following topics:

2.2.1 Error when Installing Oracle Identity Manager Design Console

When you are trying to install Oracle Identity Manager Design Console on a Windows machine that has firewall between the machine and the Oracle Identity Manager server, the following error message is displayed when you run the config.cmd command:

Error in validating the Hostname field value.Entered host is not up and running

To install Oracle Identity Manager Design Console, you must open port 7 in the firewall.

2.2.2 Mandatory Patches Required for Installing Oracle Identity Manager

This section describes the necessary patches that you must apply for installing and configuring Oracle Identity Manager.

Note:

This section provides the mandatory patches that were available at the time of publishing the release notes. For late-breaking changes and additional patch requirements, see My Oracle Support document ID 1536894.1.

Table 2-1 provides information about the mandatory patches required for Oracle Identity Manager. Please note that these patches can be applied in any order.

Table 2-1 Patches Required to Fix Specific Issues with Oracle Identity Manager 11gR2 (11.1.2.1.0)

Oracle Fusion Middleware Product or Component Patch Number When to Apply? Description

Oracle SOA Suite

16702086

After installing Oracle SOA Suite

This is a mandatory Oracle SOA Suite Bundle Patch 11.1.1.6.7 patch.

Follow the README.txt file for patching instructions.

Oracle SOA Suite

17988119, 18486891, 13973356

After installing Oracle SOA Suite Bundle Patch 11.1.1.6.7

These mandatory Oracle SOA Suite patches need to be applied after Oracle SOA Suite has been upgraded to Bundle Patch 11.1.1.6.7 using patch 16702086.

Choose the 11.1.1.6.7 version of these patches, and follow the README.txt file for patching instructions.

Oracle User Messaging Service

16366204

After installing Oracle SOA Suite

This is an Oracle User Messaging Service (UMS) patch.

Choose the 11.1.1.6.0 version of this patch, and follow the README.txt file for patching instructions.

Oracle WebCenter Portal

16472592

After installing Oracle Identity Manager

This is an Oracle WebCenter Portal patch.

Follow the README.txt file for patching instructions.

Oracle Application Development Framework

19976022

After installing Oracle Identity and Access Management

This is an Oracle Application Development Framework (ADF) patch.

Follow the README.txt file for patching instructions.

Oracle Platform Security Services

16400771

After installing Oracle Identity Manager

This is an Oracle Platform Security Services (OPSS) patch.

Follow the README.txt file for patching instructions.

Oracle Virtual Directory - Identity Virtualization Library (libOVD)

18919213

After installing Oracle Identity and Access Management

This is a mandatory patch if you are using Identity Virtualization Library (libOVD). Note that this patch is classified as an Oracle Virtual Directory patch.

Download the 11.1.1.6.0 version of this patch, and follow the README.txt file for patching instructions.

Oracle Virtual Directory - Oracle Directory Server Enterprise Edition

14016801

After installing Oracle Directory Server Enterprise Edition

This is a mandatory patch if you are using Oracle Directory Server Enterprise Edition. Note that this patch is classified as an Oracle Virtual Directory patch.

Download the 11.1.1.6.0 version of this patch, and follow the README.txt file for patching instructions.

Oracle Unified Directory

18489893

After installing Oracle Unified Directory

This is a mandatory patch if you are using Oracle Unified Directory.

Download the version of this patch that corresponds with the version of Oracle Unified Directory you installed. Follow the README.txt file for patching instructions.

Oracle Access Manager

16513008

After installing Oracle Identity and Access Management

You must apply this patch if you plan to integrate Oracle Identity Manager with Oracle Access Manager.

Follow the README.txt file for patching instructions.

Oracle Business Intelligence Publisher

14630670

After installing Oracle Identity Manager

This is an Oracle Business Intelligence Publisher patch.

Follow the README.txt file for patching instructions.

Oracle IDM Tools

17008132

After installing Oracle Identity and Access Management

This is an Oracle IDM Tools patch.

Follow the README.txt file for patching instructions.

Oracle Business Intelligence Publisher

14088000

After installing Oracle Identity Manager

This is an Oracle Business Intelligence Publisher patch.

Follow the README.txt file for patching instructions.

Enterprise Manager for Fusion Middleware

17375780

After installing Oracle Identity and Access Management

This is an Enterprise Manager patch.

Follow the README.txt file for patching instructions.

To download the patches, do the following:

  1. Log in to My Oracle Support.

  2. Click Patches & Updates.

  3. Select Patch name or Number.

  4. Enter the patch number.

  5. Click Search.

  6. Download and install the patch.

Patching Instructions

If you are using Oracle WebLogic Server, the patching instructions are mentioned in the README.txt file that is provided with each patch.

If you are using IBM WebSphere, follow the instructions provided below:

  1. Navigate to Patch_Home directory where the patch is located.

  2. Set the environment variable ORACLE_HOME to point to the SOA_HOME directory.

    For example:

    setenv ORACLE_HOME /mydirectory/myfolders/Oracle_SOA1

  3. Set the environment variable PATH to point to the OPatch directory.

    For example:

    setenv PATH /mydirectory/myfolders/Oracle_SOA1/OPatch:$PATH

  4. Execute the opatch command, as follows:

    opatch apply -jdk Path_To_IBM_jdk

    For example:

    opatch apply -jdk WAS_HOME/java

2.2.3 JPS Keystore Service Initialization Failure in Join Domain Scenario for Oracle Access Management Domain

In a join domain scenario between Oracle Identity Manager and Oracle Access Management, the keystore file configured in Oracle Platform Security Services configuration does not exist but passwords are already available from OIM installation in the Credential Store Framework store. Hence, when Oracle Access Management Server tries to store the key store file, it fails as the key already exists.

Workaround:

  • Before starting the Administration server, copy the key store file from Oracle Identity Manager domain to Oracle Access Management domain's key store location.

    For example: Copy the default keystore (.jks) file from <OIM domain>/config/fmwconfig to <OAM domain>/config/fmwconfig.

    Note:

    This step should be performed after you have configured the Oracle Access Management domain using config.sh but before you start the Administration Server.

  • In Oracle Identity Manager domain, look for default context in jps-config.xml.

  • Under this locate keystore service and keystore file location.

  • Copy this keystore (.jks) file to the location defined in Oracle Access Management domain key store location under Oracle Platform Security Services (jps-config.xml) configuration.

2.3 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

2.3.1 Default Cache Directory Error

When you start the Oracle Fusion Middleware Configuration Wizard, by running the config.cmd or the config.sh command, the following error message is displayed:

*sys-package-mgr*: can't create package cache dir

The error message indicates that the default cache directory is not valid. You can change the cache directory by including the-Dpython.cachedir=<valid_directory> option in the command line.

2.3.2 Launching Oracle Identity Manager Configuration Wizard on AIX with JDK7

You can not launch Oracle Identity Manager Configuration Wizard on AIX with JDK7, when you run the script $<ORACLE_HOME>/bin/config.sh

The Oracle Universal Installer window appears if you add the -jreLoc option in the command line: $<ORACLE_HOME>/bin/config.sh -jreLoc <JRE_HOME>

2.3.3 Unable to Add Weblogic Password in the Fusion Middleware Configuration Wizard

In the Fusion Middleware Configuration Wizard, you cannot add Weblogic password in the Configure Administrator User Name and Password screen.

Workaround:

When you are prompted to enter the Weblogic user password, you may not be able to enter the password. Click Next to go to the next screen. You will be prompted of an error: Password cannot be empty. Go back to the previous screen and type in the password again.

Note:

Before running the Oracle Fusion Middleware Configuration Wizard, ensure that you have installed the following:

  • Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5)

  • Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)

  • Oracle Identity and Access Management 11g Release 2 (11.1.2)

2.3.4 Mandatory Steps to Complete After Installing Oracle Access Management or Oracle Identity Manager

The following are the steps that must be followed after installing Oracle Access Management 11g Release 2 (11.1.2) or Oracle Identity Manager 11g Release 2 (11.1.2):

  1. Configure domain

  2. Configure the Configsecuritystore

  3. Copy jps-config.xml file to jps-config.xml_old for recovery and reference

  4. Do the following to edit the jps-config.xml file:

    1. Look for the XML element

      <serviceInstance name="pdp.service" provider="pdp.service.provider">

    2. Delete the following two entries:

      <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/> 
<property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/>

      After you delete the first two properties their default values will be set. The default values are true and 600000 (10 minutes) respectively:

    3. Add following entry in same section:

      <property name="oracle.security.jps.pd.client.PollingTimerInterval" value="31536000"/>

    4. The edited XML must look like the following:

      <serviceInstance name="pdp.service" provider="pdp.service.provider"> 
            <description>Runtime PDP service instance</description> 
            <property 
name="oracle.security.jps.runtime.pd.client.policyDistributionMode" 
value="mixed"/> 
            <property name="oracle.security.jps.runtime.instance.name" 
value="OracleIDM"/> 
            <property name="oracle.security.jps.runtime.pd.client.sm_name" 
value="OracleIDM"/> 
            <property name="oracle.security.jps.policystore.refresh.enable" 
value="true"/> 
           <property 
name="oracle.security.jps.pd.client.PollingTimerInterval" value="31536000"/> 
</serviceInstance>

2.3.5 Use Absolute Paths While Running configureSecurityStore.py With -m Join

The Configure Security Store fails to create the policy store object when using variables such as ORACLE_HOME and MW_HOME while running configureSecurityStore.py with the -m join parameter. Specify absolute paths for ORACLE_HOME and MW_HOME while running the command with -m join parameter.

2.3.6 Security Store Join Fails on Windows

On Windows, when you run the command configSecurityStore.py, the -m validate option succeeds, but the following error gets reported towards the end of the command:

c:\Amy_OPAM\Oracle\Middleware\Oracle_RC3\common\bin>wlst.cmd ..\tools\configureSecurityStore.py -d
c:\Amy_OPAM\Oracle\Middleware\user_projects\domains\OPAM_RC3_Domain2 -c IAM -m join -p welcome1 -k c:\Amy_OPAM\software\RC3\ -w welcome1

Error: Failed to join security store, unable to locate diagnostics data.
Error: Join operation has failed.

Workaround:

Ignore the error. Even though the error gets reported there is no functional impact because the newly created server with the join option can start successfully and continue to service requests.

2.3.7 Weblogic Server Configuration Wizard does not support JDK6 on AIX7

Weblogic Server configuration wizard displays the warning CFGFWK-60895 for 1.6.0.9.2 JDK on AIX 7 for Oracle Access Management, Oracle Adaptive Access Manager, and Oracle Privileged Account Manager.

Workaround:

  1. Install Weblogic Server.

  2. Install SOA.

  3. Install Oracle Identity and Access Management.

  4. Run the configuration wizard.

  5. Create an Oracle Identity Manager (OIM) domain.

  6. Create domain's for Oracle Access Management, Oracle Adaptive Access Manager, and Oracle Privileged Account Manager.

  7. You get the warning CFGFWK-60895: The selected JDK version is lower than recommended minimum version.

  8. Click Cancel and select a different JDK or Click OK to proceed with same.

Note:

Warning CFGFWK-60895 does not interfere with functionality.

2.3.8 Access Policy Manager Deployments Do Not Target Administration Server in Cluster Scenario

When you select the Oracle Entitlements Server template for Administration server, by default Access Policy Manager is deployed to the administration server.

But when a cluster for any component is created with > 1 server instance, then APM is targeted to the clustered servers and not the administration server, which causes the servers within the cluster to come up in administration mode.

For example, if you have a domain with one instance of Oracle Identity Manager, SOA and Oracle Access Management, the Access Policy Manager is targeted to the administration server. However, if you create another instance of Oracle Identity Manager, so that it has two instances at the time of domain creation, then the Access Policy Manager is deployed to the clustered servers (in this case Oracle Identity Manager server) and not administration server.

Workaround:

  1. Log in to Weblogic administration console.

  2. Click Deployments.

  3. Click oracle.security.apm (11.1.1.3.0).

  4. Click Targets.

  5. Click Lock & Edit.

  6. Select oracle.security.apm (11.1.1.3.0).

  7. Click Change Targets.

  8. Select AdminServer.

  9. Click Yes.

  10. Click Activate Changes and restart the administration server.

2.3.9 Requests Fail with ClassCastException

When you install Oracle Identity Manager on Weblogic Server (10.3.5.0), the request fails with the following exception:

Unable to instantiate the workflow process due to: Tasklist mapping failed for workflowdefinition: default/DefaultRequestApproval!1.0 due to oracle.bpel.services.workflow.query.ejb.TaskQueryService_oz1ipg_HomeImpl_1035_WLStub cannot be cast to oracle.bpel.services.workflow.query.ejb.TaskQueryServiceRemoteHome.

This happens when initiating the approvals for a request.

Workaround:

For Weblogic Server 10.3.5 you must download and install patch 12944361. Weblogic Server 10.3.6 do not require this patch

2.3.10 Modify PKCS11-Solaris Security Provider Before Running the configSecurityStore.py Command When Using Sun JDK 1.7

The command configSecurityStore.py fails to run when installing Oracle Identity and Access Management 11g Release 2 components on Solaris 10 SPARC or higher versions, using JDK 1.7. This occurs because of the implementation of PKCS11-Solaris security provider.

Workaround:

  • Back up the file $JAVA_HOME/jre/lib/security/java.security

  • Open the file $JAVA_HOME/jre/lib/security/java.security in a text editor and modify the provider list

Ensure that sun.security.pkcs11.SunPKCS11 is at the beginning of the provider list. Modify the provider list, as in the following example:

security.provider.1=sun.security.pkcs11.SunPKCS11   ${java.home}/lib/security/sunpkcs11-solaris.cfg   security.provider.2=com.oracle.security.ucrypto.UcryptoProvider   ${java.home}/lib/security/ucrypto-solaris.cfg
...

2.3.11 Server Startup Failure

If you start the OES domain without running the configureSecurityStore.py script, the server fails to start with following exception:

oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to perform cryptographic operation Caused by: javax.crypto.BadPaddingException: Given final block not properly padded

Workaround:

The workaround is to export the domain encryption key from a domain in the same logical Oracle Identity and Access Management deployment already configured to work with the database security store, and then run the configureSecurityStore.py script.

exportEncryptionKey(jpsConfigFile=jpsConfigFile_Loc,keyFilePath=keyFilePath,keyFilePassword=keyFilePassword)

where:

jpsConfigFile_Loc - is the absolute location of the file jps-config.xml in the domain from which the encryption key is being exported.

keyFilePath - is the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by keyFilePassword.

keyFilePassword - is the password to secure the file ewallet.p12; note that this same password must be used when importing that file.