This chapter describes issues associated with Oracle Access Management. It includes the following topics:
Note:
For late-breaking changes and information, see My Oracle Support document ID 1537796.1.This section describes general issues and workarounds organized by specific Access Manager services. If you do not find a service-related topic (Access Portal, for example), there are no general issues at this time.
The following topics are included:
Section 5.1.1, "General Issues and Workarounds: Access Manager"
Section 5.1.2, "General Issues and Workarounds: Security Token Service"
Section 5.1.3, "General Issues and Workarounds: Identity Federation"
Section 5.1.4, "General Issues and Workarounds: OAuth Services, and Mobile and Social"
This topic describes general issues and workarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics:
Section 5.1.1.1, "BasicScheme Does Not Redirect to Failure URL when Using Internet Explorer Browser"
Section 5.1.1.2, "Error During Federation Configuration After Upgrade From PS1 to PS2"
Section 5.1.1.3, "Time Between Access Manager and Mobile Device Must Be Synced"
Section 5.1.1.4, "User Account Not Locked After Invalid Attempts"
Section 5.1.1.5, "UseCaseInsensitiveResourceMatch Doesn't Work in PS2"
Section 5.1.1.6, "Additional Setting Required for Case Insensitive Policy Resource Matching"
Section 5.1.1.7, "Cookie Based Session Management Available Only for 11g WebGates"
Section 5.1.1.8, "Logout URL Value in DCC Profile Doesn't Clear Browser Session"
Section 5.1.1.9, "Automated Policy Synchronization Not Enabled and Supports Only Policy Artifacts"
Section 5.1.1.10, "Not All User Attributes Are Available For Post Authentication Rules"
Section 5.1.1.11, "Partner Registration Fails When Using WebSphere Application Server"
Section 5.1.1.12, "Attributes That Have No Value Defined Substituted With NULL"
Section 5.1.1.13, "Access Denied When LDAP Authentication Module Changed to OID"
Section 5.1.1.15, "Granular Timeout Doesn't Work If Cookie-based SME Enabled"
Section 5.1.1.16, "OCSP Not Available for x509 Plugin on WAS"
Section 5.1.1.17, "upgradeConfig() Fails On WebSphere Application Server"
Section 5.1.1.18, "JDK7 Required for OAM 10g/OAM 11g Coexistence"
Section 5.1.1.19, "X.509 Minimum Keylength Increases with JDK 7u 40"
Section 5.1.1.23, "Can't Use WLST Commands For Federated SSO Password Policy."
Section 5.1.1.25, "Can't Get Static Method UserSession.getSessionAttributes()."
Section 5.1.1.26, "Consecutive Logins in Multiple Tabs Doesn't Work for WebGate."
Section 5.1.1.27, "Unsupported Items in WebSphere Trust Association Interceptor."
Section 5.1.1.28, "Logged Error During OAM Server Configuration Test."
Section 5.1.1.29, "Simple Policy Not Migrated After Complete Migration."
Section 5.1.1.30, "Available Services Page Won't Open In Localized Internet Explorer 9."
Section 5.1.1.32, "Create Provider Manually When Extending OIM Domain."
Section 5.1.1.33, "Unable to Access "/" Context Root if Protected by OSSO Agent for 11g OHS."
Section 5.1.1.35, "Access Tester Does Not Work with Non-ASCII Agent Names."
Section 5.1.1.37, "Simple Mode is Not Supported for JDK 1.6 and AIX."
Section 5.1.1.38, "User Might Need to Supply Credentials Twice with DCC-Enabled WebGate."
When using Internet Explorer (version 8 and above) and the authentication scheme is set to "BasicScheme" with a failure URL configured at the Application Domain, the user is not redirected to the failure URL after the maximum number of failed attempts is reached. An error is displayed without redirecting to the failure URL or the OAM system error page.
To workaround, set the MaxRetryLimit on the OAM side to a value less than or equal to 3 and set the OverrideRetryLimit challenge parameter to 1, 2 or 3. The user is then prompted only the number of times configured and on failure, redirection to the configured failure URL occurs.
IAM Suite is the OOTB Application Domain created when OAM 11.1.2 is installed. This Application Domain can be renamed after installation but when upgrading OAM to 11.1.2.2.0, it must be renamed back to IAM Suite otherwise the upgrade operation will fail with the following error seen in the WLS admin logs.
java.lang.NullPointerException at oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.FedR2PS2Bootstr apHandler.createFedAuthnResource(FedR2PS2BootstrapHandler.java:505) at oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.FedR2PS2Bootstr apHandler.doBootstrap(FedR2PS2BootstrapHandler.java:151) at oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.R2PS2BootstrapH elper.doBootstrap(R2PS2BootstrapHelper.java:70) at oracle.security.am.common.policy.tools.PolicyComponentLifecycle.initialize(Pol . icyComponentLifecycle.java:99)
If the IAM Suite Application Domain has been renamed after installation, it is required to rename it back to its original IAM Suite name prior to beginning the upgrade process. After the upgrade process is complete, the name can be changed back to its custom name.
Time sync is not supported between mobile devices and the Access Manager server therefore the OTP code generated by the mobile device will not be validated by Access Manager if the time is not synced.
In an integrated Access Manager-Identity Manager environment in which Active Directory is the back-end identity store, a user account will not be locked after the configured number of authentication attempts with invalid credentials.
The UseCaseInsensitiveResourceMatch flag (which controls case sensitive resource pattern matching) does not work. To workaround this issue, change the configuration key name from "UseCaseInsensitiveResourceMatch" to "USE_CASE_INSENSITIVE_RESOURCE_MATCH".
A setting must be added to oam-config.xml and configured in order to workaround an iussue with the "Case Insensitive Policy Resource Matching" option. The additional setting that must be added under PolicyService -> OAMPolicyProvider -> properties is:
<Setting Name="USE_CASE_INSENSITIVE_RESOURCE_MATCH "Type="xsd:boolean">true</Setting>
Client-side session management (also referred to as cookie-based session management) is available only for 11g WebGate agents.
If the DCC WebGate profile for an 11g APACHE WebGate contains the default value for the Logout URL (/logout.html), DCC cookies are not cleared when logging out; thus the session still exists within the browser. If the default value of Logout URL is removed from the DCC WebGate profile, log out works as expected.
Multi-Data Center and the Automated Policy Synchronization feature only supports policy aritifacts and not system artifacts. Additionally, Automated Policy Synchronization is disabled out of the box. To enable, set the Java system property as -DENABLE_ENTITY_JOURNAL=true.
Not all user attributes can be used when writing Post Authentication Rules. For this release, only userId, userDN and guid are available.
If deployed in the Websphere Application Server, partner registration using the Access Manager Console or rreg fails when an offline wsadmin command (for example, Oam.createUserIdentityStore) is executed with the AdminServer and the oam_server running. To rectify, restart the servers after the execution of any offline wsadmin command.
If an attribute is defined in the Identity Store with no value, a NULL is substituted for the parameter in responses that refer to it. For example, if parameter ${user.deptname} has no defined value in the Identity Store for the specified user, the response at runtime will be NULL. (In R1, NONE was used.)
To workaround this error, use idmConfigTool.sh to provision values for the WebLogic administration server host, port and WebLogic user (including password) into the OAM config-store as a post-installation step. Use these values while accessing IDS MBeans instead of the user/password of the subject that is logged in.
The following are known limitations of SHA-2 support per design.
WebGate will not work in simple mode when using SHA-2 certificates.
SHA-2 support is not provided for 32-bit platform.
SHA-224 certificates are not supported.
The granular timeout functionality does not work when Cookie-based SME is enabled (set to true
). This is expected behavior.
OCSP is not available for x509 Plugin when Access Manager 11g is deployed on WebSphere Application Server containers.
upgradeConfig() fails on WebSphere Application Server when used in some shells. For example, when using the tcsh shell, the wsadmin.sh script on WebSphere does not export ORACLE_HOME. Thus, it fails and prints a "Could not identify correct ORACLE_HOME location" error message. The following procedure can be used to workaround this issue.
Use the bash shell to launch $ORACLE_HOME/common/bin/wsadmin.sh.
This is not an issue when using the bash shell.
Explicitly export the value of ORACLE_HOME.
export ORACLE_HOME
Modify $ORACLE_HOME/common/bin/wsadmin.sh to export ORACLE_HOME.
Configuring OAM10g and OAM11g (coexistence is a new feature of R2PS2), JDK7 is required for two security JARs that it contains.
JDK 7u40 increases the minimum keylength for X.509 from 512 bits to 1024 bits. (This change has been made to discourage use of key length that are considered weak by current standards.) To change this default behavior, consult the JDK documentation.
Support for 64-bit platform Non-OHS WebGate agents on IBM Power AIX 5.3, 6.1 and 7.1 has been added. The Apache Server will not start or work with AIX 6.1 and 7.1 unless the LDR_PRELOAD64 flag is set using the following command:
export LDR_PRELOAD64=libclntsh.so
The 11gR2 PS1 ASDK has incorrect version details:
The getSDKVersion()
API returns a 11.1.2.0.0 value instead of a 11.1.2.1.0 value.
The name of the ofm_oam_sdk_generic_11.1.2.1.0_disk1_1of1.zip
disk might be ofm_oam_sdk_generic_11.1.2.0.0_disk1_1of1.zip
.
The following benign exception might be seen on the Administration and Managed servers. It can be ignored.
java.lang.NoClassDefFoundError: oracle/security/am/engines/rreg/common/RegistrationRequest at java.lang.Class.getDeclaredMethods0(Native Method) at java.lang.Class.privateGetDeclaredMethods(Class.java:2427) at java.lang.Class.privateGetPublicMethods(Class.java:2547) at java.lang.Class.getMethods(Class.java:1410) at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap. isBootstrapCandidate (AMBootstrap.java:191) at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap. invokeBootstrapMethods(AMBootstrap.java:146) at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap. doServerBootstrap(AMBootstrap.java:106) at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap load(AMBootstrap.java:247)
The following benign exception is seen in the AdminServer-diagnostic.log file. It does not impact the Administration Console functionality and can be ignored.
oracle.mds.exception.ReadOnlyStoreException: MDS-01273: The operation on the resource /oracle/oam/ui/adfm/DataBindings.cpx failed because source metadata store mapped to the namespace / DEFAULT is read only. at oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(MDSSession.java:2495) at oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(MDSSession.java:2548) at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:3493) at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1660) at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1546) at oracle.adfdt.model.mds.MDSApplicationService.findApplication (MDSApplicationService.java:57) at oracle.adfdt.model.mds.MDSModelDesignTimeContext.initServices (MDSModelDesignTimeContext.java:232) at oracle.adfdt.model.mds.MDSModelDesignTimeContext.<init> (MDSModelDesignTimeContext.java:82) at oracle.adfdt.mds.MDSDesignTimeContext.<init> (MDSDesignTimeContext.java:66) at oracle.adf.view.rich.dt.DtAtRtContext.<init> (DtAtRtContext.java:22) at oracle.adf.view.rich.dt.Page.<init>(Page.java:535) at oracle.adf.view.rich.dt.Page.getInstance(Page.java:80) at oracle.adf.view.page.editor.customize.ComposerPageResolver.getPageObject (ComposerPageResolver.java:200) at oracle.adfinternal.view.page.editor.contextual.event.ContextualResolver. getPageDefinition(ContextualResolver.java:1229) at oracle.adfinternal.view.page.editor.contextual.event.ContextualResolver. <init>(ContextualResolver.java:129)
WLST commands cannot be used for adding, editing or deleting the federated SSO password policy profile until the following modifications have been made to the oam-config.xml file manually.
Back up the existing oam-config.xml file.
Find Setting Name="UserProfileInstance" in the file and add the following entry as a child of the "UserProfileInstance" setting.
<Setting Name=""NEW_PROFILE" Type="htf:map"> <Setting Name="PasswordPolicyAttributes" Type="htf:map"> <Setting Name="FORCED_PASSWORD_CHANGE" Type="xsd:boolean">true</Setting> <Setting Name="USER_ACCOUNT_DISABLED" Type="xsd:boolean">true</Setting> <Setting Name="PASSWORD_EXPIRED" Type="xsd:boolean">true</Setting> <Setting Name="TENANT_DISABLED" Type="xsd:boolean">true</Setting> <Setting Name="USER_ACCOUNT_LOCKED" Type="xsd:boolean">true</Setting> </Setting> </Setting>
For edit and delete, the changes should be made on the existing profile entry in oam-config.xml.
Increment the oam-config.xml "Version" setting and persist the changes.
A CertPathValidatorException is seen in the Access Manager diagnostic log when accessing a Resource. For example:
[2013-03-12T21:39:09.281-07:00] [oam_server1] [ERROR] [OAMSSA-12117] [oracle.oam.engine.authn] [tid: WebContainer : 3] [ecid: disabled,0] [APP: oam_server_11.1.2.0.0] Cannot validate the user certificate.[[ java.security.cert.CertPathValidatorException: The certificate issued by O=My Company Ltd, L=Newbury, ST=Berkshire, C=GB is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111) at
The static getSessionAttributes() method does not retrieve all Session attributes for a user - only those which have been set using the ASDK.
FORM Cache Mode should be used to support multi-tab browser behavior. By default, it is set to COOKIE Mode.
The following items are unsupported in the Access Manager WebSphere Trust Association Interceptor (TAI) when compared to the Access Manager WebLogic Server Id Asserter.
Access Manager WAS TAI does not support SAML assertions based on the OAM_IDENTITY_ASSERTION header.
OAM WAS TAI does not support the Identity Context. Identity Context is supported based on the OAM_IDENTITY_ASSERTION header by Access Manager WebLogic Server Identity Asserter.
After running idmConfigTool.sh -configOAM
, two WebGate profiles are created: Webgate_IDM
and Webgate_IDM_11g
; both are 11g. When validating each Access Manager server configuration using the oamtest
tool, the Administration Console displays the connection status correctly but a long error/exception for each WebGate is logged. This error log is expected and can be ignored.
When performing a fresh incremental migration or a delta incremental migration after a complete migration, Simple Policy are not migrated. This issue is due to a Maximum Session Time lapse. Either restart the Administration Server or change the value of Maximum Session Time to more than 120 minutes.
When accessing the OAM Administration Console localized for cn
or jp
using Internet Explorer 9, double-clicking the Available Services text will not open the related page. Clicking the folder icon as opposed to the text will work. Or use Internet Explorer 8 or Firefox to workaround. If it works when using Internet Explorer 7, you can force OAM to run in Explorer 7 compatibility mode. See the PDF called Run ADF Faces applications with IE 9 in IE 8 compatibility mode at Oracle Technology Network.
The RSA plugin has been removed as a system plugin. The functionality can still be accessed by installing and using a custom RSA plugin.
If extending the Oracle Identity Manager domain by adding Oracle Access Management Access Manager, the 'OIMAuthenticationProvider' will be deleted. When integrating OIM and OAM using idmConfigTool -configOIM, providers are automatically reordered as required. If not using idmConfigTool -configOIM, the provider needs to be created manually.
mod_osso agents shipped with 11g OHS cannot be configured to protect the @ context root '/'.
You will get a runtime exception when starting an instance of Access Manager protected by Oracle Entitlements Server. The exception can be ignored.
Register a WebGate with Access Manager using a non-ASCII name. In the Access Tester, enter the valid IP Address, Port, and Agent ID (non-ASCII name), then click Connect.
Connection testing fails.
Configure Access Manager to use Kerberos Authentication Scheme with WNA challenge method, and create a non-ASCII user in Microsoft Active Directory.
An exception occurs when trying to get user details to populate the subject with the user DN and GUID attributes. Authentication fails and an error is recorded in the OAM Server log when a non-ASCII user in Active Directory attempts to access an Access Manager-protected resource:
... Failure getting users by attribute : cn, value ....
The username in the attribute is passed without modification as a java string.
Non-ASCII users can access the resource protected by Kerberos WNA scheme by applying the following JVM system property in the startManagedWeblogic.sh script in $DOMAIN_HOME/bin:
-Dsun.security.krb5.msinterop.kstring=true
Simple mode is not supported with JDK 1.6 and on AIX platforms. Use Open or Cert mode instead.
When you have a Detached Credential Collector-enabled WebGate combined with a resource WebGate, the user might have to provide credentials twice. This can occur when login is triggered with a URL that results in an internal forward by Oracle HTTP Server.
To resolve this issue, you can use following workaround:
Edit the httpd.conf file to add rewrite rules that redirect the browser for directory access (before WebGate configuration include) For example:
RewriteEngine On RewriteRule ^(.*)/$ "$1/welcome-index.html" [R]
SSL-enabled Web server: Repeat these rules under SSL configuration.
This topic describes general issues and workarounds for Oracle Access Management Security Token Service (Security Token Service). It includes the following topics:
Section 5.1.2.1, "STS Does Not Honor The Lifetime Sent In RequestSecurityToken."
Section 5.1.2.2, "Click On Security Token Service Column Throws Exception."
Section 5.1.2.3, "Issues with Searches and Non-English Browser Settings."
Security Token Service does not process the Lifetime sent in the WS-Trust RequestSecurityToken message. Rather, the WS-Trust RequestSecurityTokenResponse contains the Lifetime per the configured token validity time in the Oracle Security Token Service Issuance Template.
When adding a new Attribute Name Mapping during the creation of a New Requester Profile in the Security Token Service section of the Access Manager Administration Console, an error message indicating an Unsupported Operation Exception can be displayed when clicking twice on a column titled Row No.
Security Token Service searches might not return the expected result when the browser language is set to a non-English language. For example, this occurs when setting the:
Partner Type field to Requester
, Relying Party
or Issuing Authority
in the Requesters, Relying Party or Issuing Authorities screens
Token Type
to Username
on the Token Issuance Templates screen when the Oracle Access Manager Administration Console browser setting is non-English
Token Type
to Username
on the Token Validation Templates screen when the Oracle Access Manager Administration Console browser setting is non-English
When the browser language is English, the search returns expected results.
This topic describes general issues and workarounds for Oracle Access Management Identity Federation (Identity Federation). It includes the following topic:
This problem is seen in the following situation:
WebGate fronts a resource.
The "Allow Credential Collector Operations" option is checked for that WebGate.
The resource is protected by a policy using FederationScheme.
Due to this issue, when requesting access to the resource, the server returns a 200 with a URL where the browser will post the request to that URL using the POST, while the browser should have been redirected through a 302.
To resolve this issue, for WebGate agents fronting resources protected with the FederationScheme, disable the "Allow Credential Collector Operations" option.
This topic describes general issue and workarounds for Oracle Access Management Mobile and Social. It includes the following topics:
Section 5.1.4.1, "Mobile and Social Does not Support the Native Android OS Browser"
Section 5.1.4.2, "Internet Explorer Users Need to Enable Protected Mode"
Section 5.1.4.4, "The Mobile and Social Settings Pane can be Dragged out of View"
Mobile and Social supports the Mozilla Firefox and Google Chrome browsers on Android devices. The following issues are known to occur if the native Android OS browser is used.
The login web page rendered by the native browser does not allow the user to enter a username or password.
If a mobile single sign-on app is not installed on the mobile client, the native Android browser is unable to redirect the user to a page where the user can authenticate. This is due to a limitation in the native browser's JavaScript support.
Internet Explorer users who do not enable Protected Mode cannot sign in with a Social Identity Provider. Instead, an empty page will display.
To work around this issue in Internet Explorer versions 8 and 9, enable Protected Mode:
From the Internet Explorer menu choose Tools > Internet Options > Security.
Select Enable Protected Mode and restart the browser.
If a user who signs in with Google selects a different language from the on-screen menu, Google redirects the page request outside of the request flow managed by Mobile and Social. Consequently, the log-in pages that Google generates may be in a different language than the pages generated by Mobile and Social. Mobile and Social provides translated pages based on the browser's language settings. To avoid having pages display in different languages, users should only use their browser's preferred language settings to make changes.
In the Oracle Access Management console, when viewing the "Mobile and Social Settings" tree in the navigation pane, it is possible to click and drag the contents of this pane out of view.
To workaround this issue refresh the page or logout and login again.
A bug that prevents user profile attributes from displaying in the White Pages app is fixed as of Bundle Patch 2.
This topic describes general issue and workarounds for Oracle Access Management Access Portal Service. It includes the following topics:
In a clean browser session in which the JavaScript client has not yet set the partner ID cookie, credentials entered into a basic authentication (modal) dialog are not captured.
There is currently no workaround for this issue.
This section describes configuration issues and their workarounds organized around specific services. To streamline your experience, only services with an issue are included. For example, Identity Context has no known issues at this time and is not included. The following topics are included:
Section 5.2.1, "Configuration Issues and Workarounds: Access Manager"
Section 5.2.2, "Configuration Issues and Workarounds: Security Token Service"
Section 5.2.3, "Configuration Issues and Workarounds: Identity Federation"
Section 5.2.4, "Configuration Issues and Workarounds: OAuth Services, and Mobile and Social"
This topic describes configuration issues and workarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics:
Section 5.2.1.1, "OAM Migration Doesn't Create All Data Sources"
Section 5.2.1.2, "Password Validation Scheme Defaults to LDAP after Upgrade"
Section 5.2.1.3, "Using Plugins Between IBM HTTP Server and WebSphere"
Section 5.2.1.4, "Using ObAccessClient Results in SDK Initialization Failure"
Section 5.2.1.5, "Configuring oamtai.xml for Multiple WebGates"
Section 5.2.1.6, "obLockedOn Attribute Missing From Oracle Internet Directory"
Section 5.2.1.7, "OAM 10g WebGates Used with OAM 11g Need JavaScript"
Section 5.2.1.8, "Enabling OpenSSO Agent Configuration Hotswap"
If the OAM 10g environment that is being migrated to 11g has multiple database instances configured in a Directory Server Profile and some of them share the same displayName
value, the migration process does not convert all of the database instances in Data Sources to the new environment. To workaround, rename the 10g environment database instances such that no two instances in the Directory Server Profile have the same displayName
value.
After upgrading Access Manager to version 11gR2 PS1, the Password Validation Scheme is not set to the Password Policy Validation Module. Use the Console to set the Password Validation Scheme to the Password Policy Validation Module.
Communication between the IBM HTTP Server (IHS) and WebSphere Application Server (WAS) is made possible by installing and configuring plugins that are available with IHS. The following steps describe the installation and configuration process.
During IHS installation, install the out-of-the-box plugin.
After installation, navigate to the IHS plugin directory at (for example, $IHS_HOME
\Plugins\config\webserver1)
and verify that the plugin-cfg.xml
configuration file is available.
Modify plugin-cfg.xml
as follows and save the file.
Add the virtual host ports from which IHS can be accessed.
<VirtualHostGroup Name="default_host"> <!-- Include active IHS port details required for connecting to OAM on WAS --> <!-- <VirtualHost Name="*:9004"/> --> <VirtualHost Name="*:8080"/> <VirtualHost Name="*:17777"/> </VirtualHostGroup>
Add <ServerCluster> with the appropriate details comprising of the respective server entries where the resource is deployed.
Add <UriGroup> tag for the respective serverclusters.
<UriGroup Name="oamserver1_Cluster_URIs"> <Uri Name="/oam/*"/> </UriGroup>
Add the corresponding <Route> tag for the respective <UriGroup> tag.
<Route ServerCluster="oamserver1_Cluster" UriGroup="oamserver1_Cluster_URIs" VirtualHostGroup="default_host"/>
Add the respective VirtualHost entries in WebSphere by navigating to Environment ->Virtual Hosts -> default_hosts -> Host Alias using the IBM console.
Using an ObAccessClient (created with the 11.1.1.5.0 Access Manager Console) to create the AccessClient for the 11g ASDK (11.1.1.7.0, 11.1.2.0.0 and above) results in the following error because the older ObAccessClient.xml
file has Boolean settings expressed as true/false
rather than numeric:
oracle.security.am.asdk.AccessClient initialize SEVERE: Oracle Access SDK initialization failed.
To workaround, copy the original (older) ObAccessClient.xml
from DOMAIN_HOME
/output/
AGENT_NAME
to the ASDK configuration directory (configLocation). You may also manually edit the newer ObAccessClient.xml
to change the Boolean values ("true/false") to numeric values (0/1).
There is only one oamtai.xml
file for a single WebSphere instance. In a case where the deployment contains multiple WebGate profiles protecting applications deployed on the same WebSphere application server - for example, a mix of 10g and 11g WebGates - the OAM Trust Association Interceptor is required to be configured as below.
Irrespective of the number of WebGates in the deployment, the agent profile defined in the file should be an OAM10g type.
The assertion type should be defined as HeaderBasedAssertion.
After upgrading Access Manager from 11gR2 to 11gR2 PS1, the obLockedOn
attribute will be missing from the Oracle Internet Directory. Use the following steps to add this attribute back to the OID.
Manually add the obLockedOn attribute to the schema.
Import the LDIF to OID using the ldapmodify command.
Edit the oam_user_write_acl_users_oblockedon_template.ldif
to give oamSoftwareUser permission to modify obLockedOn.
Replace %s_UsersContainerDN% with User Search Base and replace %s_GroupsContainerDN% with Group Search Base.
Import the modified oam_user_write_acl_users_oblockedon_template.ldif
.
When Oracle Access Manager 10g WebGates are used with Oracle Access Management 11g, the webgate_install_directory
/oamsso/logout.html
page needs JavaScript code to initiate redirection to the Oracle Access Management 11g server logout page. This page, after logging out with the WebGate cookie also clears the 11g session. When migrating Oracle Access Manager 10g WebGates, follow the procedure documented in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
To enable OpenSSO Agent configuration hotswap, make sure the opensso agents have the following properties in the Miscellaneous
properties section of the agent's registration in the OpenSSO Proxy on OAM Server, and the agent servers are restarted:
J2ee Agents: com.sun.identity.client.notification.url =http://
<AGENT_SERVER_HOST
>:<AGENT_SERVER_PORT
>/agentapp/notification
Web Agents:
com.sun.identity.client.notification.url=http://
<AGENT_SERVER_HOST
>:<AGENT_SERVER_PORT
>/UpdateAgentCacheServlet?shortcircuit=false
Not Supported for Web Agents: com.sun.identity.agents.config.change.notification.enable=true
Restart the OAM Server hosting the agent.
This topic describes configuration issues and their workarounds for Oracle Access Management Security Token Service (Security Token Service). It includes the following topics:
Section 5.2.2.1, "Create Like (Duplicate) Does Not Copy All Properties of Original Template"
Section 5.2.2.2, "No Console Support Removing Partner Encryption or Signing Certificates"
Security Token Service Create Like (duplicate) button does not copy some properties on the original Issuing Authority Profile template (the Security and Attribute Mapping sections, for instance).
The Administrator must manually enter the necessary configuration items into the newly created Issuing Authority Profile:
From the Oracle Access Management Console Launch Pad, click Token Issuance Templates under Security Token Service.
Select an existing Issuance Template Click the Create Like (duplicate) button.
Create the new copied Issuance Template and manually enter the necessary configuration items in the newly created Template.
Oracle Access Management Console does not provide a way to remove a signing or encryption certificate that was set for an Security Token Service Partner.
The Administrator must manually delete these using the following WLST commands:
To delete the signing certificate of an Security Token Service Partner
deletePartnerSigningCert
To delete the encryption certificate of an Security Token Service Partner
deletePartnerEncryptionCert
This topic describes configuration issues and their workarounds for Oracle Access Management Identity Federation (Identity Federation). It includes the following topics:
Section 5.2.3.1, "Provider Search Text Fields do an Exact Match Search"
Section 5.2.3.2, "Incorrect Error Message when an Invalid Signing Certificate is Uploaded"
Users should be aware that in the Oracle Access Management Console, the Identity Provider search screen does an exact match (==) for the ProviderId and Partner name fields, rather than a "contains" search.
Although it is an exact match, the user can employ "*" as a wild card in searches.
While creating/editing an IdP, if you upload an invalid file for a signing certificate, you will see a Null pointer exception
error message instead of a proper message indicating that the file does not contain a certificate.
This topic describes configuration issues and their workarounds for Oracle Access Management Mobile and Social (Mobile and Social). It includes the following topics:
Section 5.2.4.1, "The OAuth 3-Legged Flow With External LDAP Requires a WebGate Proxy"
Section 5.2.4.2, "OAuth Scope Supersets Should be Defined Before Subsets"
Section 5.2.4.3, "Steps Required to Localize the Register Page"
Section 5.2.4.4, "Mobile Clients do not Translate Error Messages Sent by the Server"
Section 5.2.4.5, "Yahoo Identity Provider Does not Return First Name and Last Name"
Section 5.2.4.6, "Once Set, Jail Breaking "Max OS Version" Setting Cannot be Empty"
A WebGate proxy is required to use the OAuth 3-Legged authorization flow with an external LDAP directory server. To address this issue, follow the steps in the "Configuring a WebGate to Protect the OAuth Service" section of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
When defining OAuth scopes on the Resource Server Configuration page, add scope supersets (UserProfile.*) before subsets (UserProfile.users). You can only select scope supersets from the dropdown list after you remove scope subsets from the list.
Because of a design change, attribute names on the Register page are in English and are not localized to other languages. To translate this page, use the following steps to modify the attribute name values using the Oracle Access Management console.
Open the Oracle Access Management console Launch Pad and click Social Identity under Mobile and Social.
Open the Application Profile, for example OAMApplication.
Go to the User Attribute Display Name list in the Registration Service Details with Application User Attribute Mapping section.
Replace the values in English with localized values.
Save your changes by clicking Apply on the OAMApplication page.
Open the Register page and confirm that the page shows the correct localized values.
The Mobile and Social server sends error messages to the mobile clients in the language that is configured in the server locale language settings. The mobile clients cannot translate server error messages to a different language.
The Yahoo social identity provider does not return firstname
and lastname
values following user authentication. To work around this issue, change the following Mobile and Social mappings in the Oracle Access Management console:
Open the Application Profile for editing.
Click Next until the Social Identity Provider configuration page opens.
Open the Application User Attribute Vs Social Identity Provider User Attributes Mapping section.
In the Attribute Mapping section, click Yahoo to select it in the Social Identity Provider list.
Configure the values as follows:
Locate firstname in the Application User Attribute column and in the corresponding Social Identity Provider User Attributes column, choose nickname.
Locate lastname in the Application User Attribute column and in the corresponding Social Identity Provider User Attributes column, choose fullname.
Save the Application Profile.
Once you assign a value to the Jail Breaking Detection Policy "Max OS Version" setting, you cannot remove the value and leave the field empty. Per the documentation, the Max OS Version field is used to configure the maximum iOS version to which the Jail Breaking policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to any iOS version higher than the value specified for Min OS Version. Once set, however, the value cannot go back to being empty. To work around this issue, set a value for the Max OS Version field.
This section documents issues that affect the Oracle Access Management Console. It includes the following topics:
The Agent Registration Quick Start Wizard Help screen is missing content.
If the OAM Server and the Oracle Access Management Console client are configured for different locales, the server will report error messages to the client in whichever language the server is configured for.
Oracle manuals describing and showing Oracle Access Management 11.1.2 and related services, including these Release Notes, incorrectly refer to the OAM Server (the former name of the Access Manager Server). However, in the next release of Oracle 11.1.2 books, the term OAM Server will be replaced by AM Server (Access Manager Server).
This section describes documentation errata for Oracle Access Management-specific manuals. It includes the following titles:
Section 5.4.1, "Oracle Fusion Middleware Administrator's Guide for Oracle Access Management"
Section 5.4.2, "Oracle Fusion Middleware Developer's Guide for Oracle Access Management"
Documentation errata for Oracle Fusion Middleware Administrator's Guide for Oracle Access Management is organized into the following topics:
Section 5.4.1.2, "Creds Parameter Lists 10g and 11g Format Without Specifics"
Section 5.4.1.3, "Incorrect OpenSSO Agent Configuration Directory Documented"
The Max Session Time element description in Chapter 16 Registering and Managing OAM 11g Agents has been updated.
Format of creds= challenge parameter lists 10g format (creds:source$name
) in an 11g book. The 10g format was removed and text added to explain 11g format.
Replaced the incorrect configuration directory path WebTier_Middleware_Home/Oracle_WT1/instances1/config/OHS/ohs1/config/ with the correct one: PolicyAgent-base/AgentInstance-Dir/config
This chapter lists support for Microsoft SharePoint Server 2010. As of March 2014, Access Manager with a 10g WebGate supports both Microsoft SharePoint Server 2010 and Microsoft SharePoint Server 2013. Other versions of Microsoft SharePoint Server are not supported in this release.
There are no documentation errata for Oracle Fusion Middleware Developer's Guide for Oracle Access Management.