6 Oracle Entitlements Server

This chapter describes issues associated with Oracle Entitlements Server. It includes the following topics:

• Section 6.1, "General Issues and Workarounds"

• Section 6.2, "Configuration Issues and Workarounds"

• Section 6.3, "Documentation Errata"

6.1 General Issues and Workarounds

This section describes general issue and workarounds. It includes the following topics:

• Section 6.1.1, "Searching for a Resource Created in the Authorization Policy Manager of a Derby Template Domain Gives an Error"

• Section 6.1.2, "Grant Missing Manage and View Permissions for a Delegated Administrator"

6.1.1 Searching for a Resource Created in the Authorization Policy Manager of a Derby Template Domain Gives an Error

If the Oracle Entitlements Server domain was created using Derby template, when you search for a resource created in the Authorization Policy Manager, the console displays an error message:

JPS-10000: There was an internal error in the policy store

The workaround is to use the search management API.

6.1.2 Grant Missing Manage and View Permissions for a Delegated Administrator

There are issues related to missing MANAGE - POLICY, VIEW - APPLICATION_ROLE / RESOURCE / RESOURCE_TYPE / ENTITLEMENT permissions that are implicitly "granted" or implied when privileges, such as "view and manage," are granted to the delegated administrator. For example, in order to create a policy as a delegated administrator, the MANAGE - POLICY permission is required, and because the delegated administrator must search for an application role, resource, and/or entitlement, he requires the VIEW - APPLICATION_ROLE / RESOURCE / RESOURCE_TYPE / ENTITLEMENT permissions.

To work around these issues, grant ALL permissions to the delegated administrator. This includes domain delegated permissions as well.

6.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topic:

• Section 6.2.1, "x.509 Certificates Key Length Limitation for JDK1.7.0_40 and Later"

6.2.1 x.509 Certificates Key Length Limitation for JDK1.7.0_40 and Later

For JDK1.7.0_40 and later, the use of x.509 certificates with RSA keys less than 1024 bits in length is restricted. Because the Oracle Entitlements Server Administration Server key size is 512 bits, if you use JDK1.7.0_40 and later, you must remove the key size limitation. To do this, modify the default value jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 to jdk.certpath.disabledAlgorithms=MD2 in the java.security file in the java_home/jre/lib/security directory.If you do not perform this workaround, the following scenarios may fail:

• Creation of all Security Modules except WebLogic Security Module in controlled-push mode

• Controlled-push WebLogic Security Module registration with Oracle Entitlements Server

6.3 Documentation Errata

There is no documentation errata at this time.