This chapter describes issues associated with general Oracle Fusion Middleware administration issues involving Identity Management. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
Section 4.1.2, "Fusion Middleware Control May Return Error in Mixed IPv6 and IPv4 Environment"
Section 4.1.3, "Limitations in Moving from Test to Production"
Section 4.2.1, "Configuring Fusion Middleware Control for Windows Native Authentication"
OPMN provides the opmnctl
command. The executable file is located in the following directories:
ORACLE_HOME/opmn/bin/opmnctl: The opmnctl command from this location should be used only to create an Oracle instance or a component for an Oracle instance on the local system. Any opmnctl commands generated from this location should not be used to manage system processes or to start OPMN.
On Windows, if you start OPMN using the opmnctl start command from this location, OPMN and its processes will terminate when the Windows user has logged out.
ORACLE_INSTANCE/bin/opmnctl: The opmnctl command from this location provides a per Oracle instance instantiation of opmnctl. Use opmnctl commands from this location to manage processes for this Oracle instance. You can also use this opmnctl to create components for the Oracle instance.
On Windows, if you start OPMN using the opmnctl start command from this location, it starts OPMN as a Windows service. As a result, the OPMN parent process, and the processes which it manages, persist after the MS Windows user has logged out.
If your environment contains both IPv6 and IPv4 network protocols, Fusion Middleware Control may return an error in certain circumstances.
If the browser that is accessing Fusion Middleware Control is on a host using the IPv4 protocol, and selects a control that accesses a host using the IPv6 protocol, Fusion Middleware Control will return an error. Similarly, if the browser that is accessing Fusion Middleware Control is on a host using the IPv6 protocol, and selects a control that accesses a host using the IPv4 protocol, Fusion Middleware Control will return an error.
For example, if you are using a browser that is on a host using the IPv4 protocol and you are using Fusion Middleware Control, Fusion Middleware Control returns an error when you navigate to an entity that is running on a host using the IPv6 protocol, such as in the following situations:
From the Oracle Internet Directory home page, you select Directory Services Manager from the Oracle Internet Directory menu. Oracle Directory Services Manager is running on a host using the IPv6 protocol.
From a Managed Server home page, you click the link for Oracle WebLogic Server Administration Console, which is running on IPv6.
You test Web Services endpoints, which are on a host using IPv6.
You click an application URL or Java application which is on a host using IPv6.
To work around this issue, you can add the following entry to the /etc/hosts file:
nnn.nn.nn.nn myserver-ipv6 myserver-ipv6.example.com
In the example, nnn.nn.nn.nn is the IPv4 address of the Administration Server host, myserver.example.com.
Note the following limitations and known problems in moving from a test to a production environment:
If your environment includes Oracle WebLogic Server which you have upgraded from one release to another (for example from 10.3.4 to 10.3.5), the pasteConfig scripts fails with the following error:
Oracle_common_home/bin/unpack.sh line29: WL_home/common/bin/unpack.sh No such file or directory
To work around this issue, edit the following file:
MW_HOME/utils/uninstall/WebLogic_Platform_10.3.5.0/WebLogic_Server_10.3.5.0_Core_Application_Server.txt file
Add the following entries:
/wlserver_10.3/server/lib/unix/nodemanager.sh /wlserver_10.3/common/quickstart/quickstart.cmd /wlserver_10.3/common/quickstart/quickstart.sh /wlserver_10.3/uninstall/uninstall.cmd /wlserver_10.3/uninstall/uninstall.sh /utils/config/10.3/setHomeDirs.cmd /utils/config/10.3/setHomeDirs.sh
When you are moving Oracle Virtual Directory, the Oracle instance name in the source environment cannot be the same as the Oracle instance name in the target environment. The Oracle instance name in the target must be different than the name in the source.
After you move Oracle Virtual Directory from one host to another, you must add a self-signed certificate to the Oracle Virtual Directory keystore and EM Agent wallet on Host B. Take the following steps:
Set the ORACLE_HOME and JAVA_HOME environment variables.
Delete the existing self-signed certificate:
$JAVA_HOME/bin/keytool -delete -alias serverselfsigned -keystore ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/keys.jks -storepass OVD_Admin_password
Generate a key pair:
$JAVA_HOME/bin/keytool -genkeypair -keystore ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/keys.jks -storepass OVD_Admin_password -keypass OVD_Admin_password -alias serverselfsigned -keyalg rsa -dname "CN=Fully_qualified_hostname,O=test"
Export the certificate:
$JAVA_HOME/bin/keytool -exportcert -keystore ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/keys.jks -storepass OVD_Admin_password -rfc -alias serverselfsigned -file ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/ovdcert.txt
Add a wallet to the EM Agent:
ORACLE_HOME/../oracle_common/bin/orapki wallet add -wallet ORACLE_INSTANCE/EMAGENT/EMAGENT/sysman/config/monwallet -pwd EM_Agent_Wallet_password -trusted_cert -cert ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/ovdcert.txt
Stop and start the Oracle Virtual Directory server.
Stop and start the EM Agent.
The copyConfig operation fails if you are using IPv6 and the Managed Server listen address is not set.
To work around this problem, set the Listen Address for the Managed Server in the Oracle WebLogic Server Administration Console. Navigate to the server. Then, on the Settings for server page, enter the Listen Address. Restart the Managed Servers.
When you are moving Oracle Platform Security and you are using an LDAP store, the LDAP store on the source environment must be running and it must be accessible from the target during the pasteConfig operation.
If you have configured WebGate with Oracle HTTP Server Release 11.1.1.6, you must apply the following patch to Oracle HTTP Server before you use the movement scripts:
13897557
The movement scripts do not support moving any releases of Oracle Identity Manager prior to Release 11.1.2.1 to another environment, either through the movement scripts or manual steps. In addition, if any releases of Oracle Identity Manager prior to Release 11.1.2.1 is part of the source environment of other components, the movement scripts for that environment will fail.
When you are moving Oracle Entitlements Server from a source to a target environment, the copyConfig
step may fail and display an exception similar to the following in the log file:
javax.management.InstanceNotFoundException: java.lang:type=Runtime at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:223)
Before running copyConfig
on the source environment, you must first set the env
variable in the shell and restart the source environment. Set the env
variable as follows, for example:
setenv JAVA_OPTIONS -Djavax.management.builder.initial=weblogic.management.jmx.mbeanserver.WLSMBean ServerBuilder
After you move Oracle Adaptive Access Manager, the database schema user name for Oracle Adaptive Access Manager will be changed only if OPSS data is not migrated as part of the copyConfig operation (specified using the opssdataexport parameter).
If the copyConfig operation fails for a domain involving Oracle Identity Manager with the following exception trace, there is a problem that the script encountered in getting MBean server connection for the Oracle Identity Manager Managed Server using the host name as localhost
:
INFO : [PLUGIN][OIM] Mar 22, 2013 7:45:23 AM - CLONE-71019 Executing Mbean:MBean Name:oracle.iam:type=IAMAppRuntimeMBean,name=IDStoreConfigMBean,Application=oi m,ApplicationVersion=11.1.2.0.0. INFO : [PLUGIN][OIM] null oracle.as.t2p.exceptions.FMWT2PCopyConfigException: java.lang.Exception at oracle.iam.t2p.OIMT2PCopyConfig.doCopyConfig(OIMT2PCopyConfig.java:87) at oracle.as.clone.cloner.component.J2EEComponentCreateCloner.getMovableCompsFrom PluginImpl(J2EEComponentCreateCloner.java:796) . . .
In this situation, analyze and correct the network configuration on the machine. Also check the file /etc/hosts for this network configuration.
If you are moving an integrated Access Manager and Oracle Adaptive Access Manager environment, you may receive the following errors:
####<Mar 23, 2013 4:38:12 AM PDT> <Error> <Security> <slc01age> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1332502692218> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: java.lang.AssertionError: java.lang.reflect.InvocationTargetException. weblogic.security.service.SecurityServiceException: java.lang.AssertionError: java.lang.reflect.InvocationTargetException
In this case, take the following steps:
Remove the access client password of the IAMSuiteAgent from the Access Manager console and the Oracle WebLogic Server Administration Console deployed on the source environment.
Execute the copyConfig script on the source environment.
Execute the pasteConfig script on the target environment.
When you execute the pasteConfig script and the archive contains Oracle Platform Security Services, the script may return the following errors:
oracle.security.audit.util.StrictValidationEventHandler handleEvent WARNING: Failed to validate the xml content. Reason: cvc-complex-type.2.4.b: The content of element '' is not complete. One of '{"http://xmlns.oracle.com/ias/audit/audit-2.0.xsd":source}' is expected.. Apr 24, 2013 6:28:29 AM oracle.security.audit.util.StrictValidationEventHandler handleEvent WARNING: Failed to validate the xml content. Reason: cvc-complex-type.2.4.b: The content of element '' is not complete. One of '{"http://xmlns.oracle.com/ias/audit/audit-2.0.xsd":source}' is expected..
You can ignore these errors.
When you execute the pasteConfig script, you may see the following error messages in the pasteConfig logs:
SEVERE: 2013-10-22 01:06:33.432/953.466 Oracle Coherence GE 3.7.1.1 <Error> (thread=Configuration Store Observer, member=n/a): Error while starting cluster: (Wrapped) java.io.FileNotFoundException: config/fmwconfig/.cohstore.jks (No such file or directory) at com.tangosol.util.Base.ensureRuntimeException(Base.java:288) at com.tangosol.util.Base.ensureRuntimeException(Base.java:269) at com.tangosol.net.ssl.SSLSocketProvider.setConfig(SSLSocketProvider.java:444) at com.tangosol.net.SocketProviderFactory.createProvider(SocketProviderFactory.java:77) at com.tangosol.net.SocketProviderFactory.ensureProvider(SocketProviderFactory.java:152) at com.tangosol.coherence.component.net.Cluster.configureSockets(Cluster.CDB:28)
You can ignore these errors.
The copyConfig script may return the following warnings:
======================================================================= WARNING: Unsupported configuration store version detected. Required "11.1.2.2.0" but found "11.1.2.1.0". Nov 03, 2013 10:16:41 PM oracle.security.am.admin.config.BasicFileConfigurationStore loadConfiguration WARNING: Unsupported configuration store version detected. Required "11.1.2.2.0" but found "11.1.2.1.0". Nov 03, 2013 10:16:42 PM oracle.security.am.admin.config.BasicFileConfigurationStore loadConfiguration WARNING: Unsupported configuration store version detected. Required "11.1.2.2.0" but found "11.1.2.1.0". =======================================================================
You can ignore these warnings.
In an environment that contains Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager, the target environment may contain incorrect values for the following data source properties:
portNumber SID serverName
These are redundant properties, present in all data sources in the domain, and there is no functional loss from these properties carrying the wrong values.
This section describes configuration issues and their workarounds. It includes the following topics:
To use Windows Native Authentication (WNA) as the single sign-on mechanism between Fusion Middleware Control and Oracle WebLogic Server Administration Console, you must make changes to the following files:
web.xml
weblogic.xml
These files are located in the em.ear file. You must explode the em.ear file, edit the files, then rearchive the em.ear file. Take the following steps (which assume that while the front end is on Windows, the em.ear file is on UNIX):
Set the JAVA_HOME environment variable. For example:
setenv JAVA_HOME /scratch/Oracle/Middleware/jrockit_160_05_R27.6.2-20
Change to the directory containing the em.ear, and explode the file. For example:
cd /scratch/Oracle/Middleware/user_projects/applications/domain_name JAVA_HOME/bin/jar xvf em.ear em.war JAVA_HOME/bin/jar xvf em.war WEB-INF/web.xml JAVA_HOME/bin/jar xvf em.war WEB-INF/weblogic.xml
Edit web.xml, commenting out the first login-config block and uncommenting the login-config block for WNA. (The file contains information about which block to comment and uncomment.) When you have done this, the portion of the file will appear as in the following example:
<!--<login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> --> <!-- the following block is for Windows Native Authentication, if you are using WNA, do the following: 1. uncomment the following block 2. comment out the previous <login-config> section. 3. you also need to uncomment a block in weblogic.xml --> <login-config> <auth-method>CLIENT-CERT,FORM</auth-method> <form-login-config> <form-login-page>/faces/targetauth/emasLogin</form-login-page> <form-error-page>/login/LoginError.jsp</form-error-page> </form-login-config> </login-config> <security-constraint> . . . <security-role> <role-name>Monitor</role-name> </security-role>
Edit weblogic.xml, uncommenting the following block. (The file contains information about which block to uncomment.) When you have done this, the portion of the file will appear as in the following example:
<!-- the following block is for Windows Native Authentication, if you are using WNA, uncomment the following block. --> <security-role-assignment> <role-name>Admin</role-name> <externally-defined/> </security-role-assignment> . . . <security-role-assignment> <role-name>Deployer</role-name> <externally-defined/> </security-role-assignment>
Rearchive the em.ear file. For example:
JAVA_HOME/bin/jar uvf em.war WEB-INF/web.xml JAVA_HOME/bin/jar uvf em.war WEB-INF/weblogic.xml JAVA_HOME/bin/jar uvf em.ear em.war
This section contains the following documentation errata for the Oracle Fusion Middleware Administrator's Guide and the Oracle Fusion Middleware High Availability Guide:
Section 4.3.1, "Documentation Errata for the Oracle Fusion Middleware Administrator's Guide"
Section 4.3.2, "Documentation Errata for the Oracle Fusion Middleware High Availability Guide"
There are no documentation errata for the Oracle Fusion Middleware Administrator's Guide at this time.
This section contains the following documentation errata for the Oracle Fusion Middleware High Availability Guide for 11g Release 2 (11.1.2.1.0), Part Number E28391-04:
In section 8.3.3.1.1, "Install Oracle WebLogic Server", step 5., On the Choose Products and Components screen, select only Oracle JRockit SDK and click Next, is incorrect. It should state "On the Choose Products and Components screen, select a certified JDK. Refer to the Oracle certification matrix for the appropriate JDK to select. See http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls
.