This chapter describes issues associated with Oracle Privileged Account Manager. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
Section 8.1.1, "No Translation (Messages or Help) Support for OPAM Command Line Tools"
Section 8.1.2, "idmconfigtool Does Not Create OPAM Admin Roles in Groups Container"
Section 8.1.3, "Deprecated Features for Oracle Privileged Account Manager Restful API"
Section 8.1.5, "Unlimited Tablespace Privilege Missing When Using Oracle Database 12.1"
Section 8.1.6, "Session Checkout Does Not Appear In "My Checkouts""
Section 8.1.8, "Database Connections Leaked from Oracle Privileged Account Manager Server"
Oracle Privileged Account Manager command-line tool messages and help were not translated in the Oracle Privileged Account Manager 11.1.2.0.0 release.
Translation support for the Oracle Privileged Account Manager command-line tool messages and help will be provided after the 11.1.2.0.0 release.
When you execute the steps to create Oracle Privileged Account Manager Admin Roles, the roles are created under IDSTORE_SEARCHBASE instead of IDSTORE_GROUPSEARCHBASE in the properties file that is passed into the idmConfigTool. This result makes configuring an authenticator against that identity store more complex, and it diverges from the process that is documented in the "Preparing the Identity Store" section of the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.
Workaround: To address this issue, apply BLR patch #16570348. You can download this patch from My Oracle Support at the following location:
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info
After applying this patch, the idmConfigTool will work as documented in the Administrator's Guide.
The following table lists the Oracle Privileged Account Manager RESTful APIs that were available in the Oracle Fusion Middleware 11g Release 2 (11.1.2.1.0) release and have been deprecated in 11g Release 2 (11.1.2.2.0). In addition, this table lists the new, equivalent APIs and provides links to topics in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager that describe how to use the new APIs.
| Deprecated API (11gr2 11.1.2.1.0) | New API (11gr2 11.1.2.2.0) | Refer to This Topic |
|---|---|---|
Show Service Account Password in the Target Resource |
Show Service Account Password in the Target Resource |
"Show Service Account Password" in the "Target Resource" section. |
Show Password in the Account Resource |
Show Password in Account Resource |
"Show Password" in the "Account Resource" section. |
Show Password History in the Account Resource |
Show Password History in Account Resource |
"Show Password History" in the "Account Resource" section. |
Search Accounts in the UI Resource |
Search Accounts in Account Resource |
"Search Accounts" in the "Account Resource" section. |
Search Assigned Accounts in the UI Resource |
Search Assigned Accounts in Account Resource |
"Search Assigned Accounts" in the "Account Resource" section. |
Get All Checked Out Accounts in the UI Resource |
Get All Checked Out Accounts in Account Resource |
"Get All Checked Out Accounts" in the "Account Resource" section. |
To prevent thread counts from continuously increasing as Oracle Privileged Session Manager session checkouts progress, you must implement the following idle connection timeouts for each Unix target node so that when a connection has been idle for 20 minutes, it will be closed:
ClientAliveInterval 600 ClientAliveCountMax 2
Where the ClientAliveInterval value is in seconds.
For example, on Linux, you must edit the /etc/ssh/sshd_config file to add these parameters.
Note:
For more information about theClientAliveInterval and ClientAliveCountMax keywords, refer to the sshd_config UNIX man page.Oracle Privileged Account Manager operations fail with a database error when you use Oracle Database 12.1.0.1 or higher. This error is displayed in the Oracle Privileged Account Manager server logs and is similar to the following:
<Error> <oracle.idm.opam> <BEA-000000> <OPAMSQLManager.executeUpdateStatementSQLException occurred SQLErrorCode=1950 SQLErrorMesg=ORA-01950: no privileges on tablespace 'DEV_OPAM_BINSTORE'>
Oracle Database removed the Unlimited Tablespace privilege that was assigned to the Resource DB role, starting with the 12.1 release. The removal of this privilege has caused issues for Oracle Privileged Account Manager operations. For a description of the Oracle Database 12.1 release changes, refer to the following:
http://docs.oracle.com/cd/E16655_01/network.121/e17607/release_changes.htm#DBSEG941
Workaround: Login to Oracle Database using SQLPLUS as the SYS user. Run the following SQL command to grant unlimited tablespace to the Oracle Privileged Account Manager schema user:
grant unlimited tablespace to <opam_schema>;
For example, if the Oracle Privileged Account Manager schema name is dev_opam, then you would run the following command:
grant unlimited tablespace to dev_opam;
Session Checkouts will not appear in My Checkouts unless the same (case sensitive) username used to log in to the Oracle Privileged Account Manager GUI Console is also used to initiate the session.
Oracle Privileged Account Manager's identity store searches may not perform well when searching large user bases.
Oracle Privileged Account Manager performs a contains search when looking up users and groups in the identity store. A contains search can be expensive for some identity stores because the contains indexes may not be present or may not perform well. Also, when performing user searches, Oracle Privileged Account Manager looks for the given search keyword in the user's login ID, mail, firstname, and lastname. Looking for multiple attributes in a user search may also cause performance issues, which can manifest themselves as timeout issues when searching in the identity store.
Workaround: To address this issue, apply BLR patch #18621722.
This patch changes the default search behavior for identity store searches. After applying this patch, Oracle Privileged Account Manager performs a "beginswith" search for both user and group lookups by default. However, this search behavior is configurable through the Oracle Privileged Account Manager Console. The Server Configuration page now has an Identity Store search filter configuration parameter. The allowed values for this parameter are, beginswith or contains.
Also, user attribute searches are now limited to just one attribute — the login ID.
You can download BLR patch #18621722 from My Oracle Support at the following location:
Oracle Privileged Account Manager server operations can fail with an error message similar to the following:
<Reached maximum capacity of pool "opamDS", making "0" new resource instances instead of "1".>
This error happens when the Oracle Privileged Account Manager server runs out of database connections. If the WebLogic connection pool max size is set to a very low value, such as 15, then concurrent usage frequently exceeds this limit and causes this issue. You can fix this issue by increasing the connection pool max size. In rare cases, the background threads that Oracle Privileged Account Manager uses to enforce Password Policies and Usage Policies can leak database connections. This situation happens inconsistently because the leak only occurs in race conditions.
Workaround: To address this issue, apply BLR patch #18347777. You can download this patch from My Oracle Support at the following location:
This section describes configuration issues and their workarounds. It includes the following topic:
The Config Security Store fails to create the policy store object when using variables such as ORACLE_HOME and MW_HOME while running wlst.sh using configureSecurityStore.py with -m join.
Always use absolute paths for ORACLE_HOME and MW_HOME while running the command for -m join.
Oracle Privileged Account Manager privileged accounts can optionally contain CSF mappings to synchronize account credentials with the Oracle Credential Store Framework (see "Adding CSF Mappings" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager).
The Oracle Privileged Account Manager command line tool (CLI) export command does not export these optionally configured CSF mappings to the exported XML file. As a result, if you export Oracle Privileged Account Manager data to XML and import the data back from the exported XML, then the CSF mappings will be missing.
Workaround: You must manually update the CSF mappings as follows:
Use the CLI retrieveaccount command to retrieve the account details, including the CSF mappings. (See "retrieveaccount Command" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.)
Use the retrieveaccount command to fetch and save details about the relevant accounts.
Export the data by using the export command.
Import the data by using the import command.
Use the saved account details to manually update the CSF mappings for relevant accounts. (See "Adding CSF Mappings" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager).
This section contains documentation errata for the following publications:
Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager
Oracle Fusion Middleware Patching Guide for Identity and Access Management
Currently, there are no documentation issues to note for the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.
This section contains documentation errata for the Oracle Fusion Middleware High Availability Guide.
In the Oracle Fusion Middleware High Availability Guide for 11g Release 2 (11.1.2.1.0), Part Number E28391-04, update the following:
In sections 9.8.5.3 and 9.8.5.4.1, the Installing and Configuring Oracle Identity and Access Management guide release number should read "11.1.2.1.0".
In section 9.8.5.4.1, Configuring Oracle Identity Management on OPAMHOST1, after Item 2 (Install the Oracle Identity and Access Management software), add the following step: "Optionally, Oracle Privileged Account Manager can operate with Oracle Database TDE (Transparent Data Encryption) mode. For more information, see Section 9.4, Optional: Enabling TDE in Oracle Privileged Account Manager Data Store in the guide Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
At the end of section 9.8.5.4.5, Starting Oracle Privileged Account Manager on OPAMHOST1, add the following item: "For more information, see sections 9.9, Assigning the Application Configurator Role to a User and 9.10, Optional: Setting Up Non-TDE Mode in the guide Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Section 9.10 Optional: Setting Up Non-TDE Mode is required only if you did not set up TDE as section 9.8.4.1 explains in the guide Installing and Configuring Oracle Identity and Access Management.
This section contains documentation errata for the Oracle Fusion Middleware Patching Guide for Identity and Access Management 11g Release 2 (11.1.2.1.0), Part Number E36789-02.
The order of sections provided for patching Oracle Privileged Account Manager in the Oracle Fusion Middleware Patching Guide for Identity and Access Management must be corrected. When patching Oracle Privileged Account Manager you must perform the steps in the following order:
Enable TDE in Oracle Privileged Account Manager Data Store or
Configure Non-TDE Mode
Import Pre-Upgrade OPAM Data
Consequently, the sections provided in the Oracle Fusion Middleware Patching Guide for Identity and Access Management must be rearranged as follows:
3.7.5 "Optional: Enabling TDE in Oracle Privileged Account Manager Data Store"
3.7.6. "Optional: Configuring Non-TDE Mode"
3.7.7 "Importing Pre-Upgrade OPAM Data"