This chapter describes the common issues that you may encounter during the Oracle Identity and Access Management upgrade process, and their corresponding workaround.
This chapter includes the following sections:
Section 25.1, "Troubleshooting Oracle Identity Manager Upgrade Issues"
Section 25.2, "Troubleshooting Oracle Access Management Upgrade Issues"
This section describes the workaround for the common issues that you may encounter during the Oracle Identity Manager upgrade process. This section includes the following topics:
Errors or Warnings During Oracle Identity Manager Middle Tier Offline Upgrade
Reviewing Autodiscovery.properties File Created During the OIM Middle Tier Upgrade
Errors or Warning During Oracle Identity Manager Middle Tier Online Upgrade
All Features not Upgraded During Oracle Identity Manager Middle Tier Upgrade
Unable to Access Pending Approvals After OIM Middle Tier Online Upgrade
OIM Middle Tier Online Upgrade Fails in Examine Phase in SSL Environment
This section lists the issues you might encounter while generating pre-upgrade report for Oracle Identity Manager. This section includes the following topics:
If you get a validation error while generating the pre-upgrade report for Oracle Identity Manager, check if you have specified the correct values in the preupgrade_report_input.properties
file.
Table 25-1 lists the log messages displayed during validation failure, and their respective solutions.
Table 25-1 Log Messages for Validation Failures During Pre-Upgrade Report Generation for OIM
Log Message | Cause | Solution |
---|---|---|
|
If Database is not in running state. |
Start the Database. |
|
If OIM schema password is incorrect. |
Check the OIM schema username and password that you have specified in the |
|
If MDS schema password is incorrect. |
Check the MDS schema username and password that you have specified in the |
If you get a plugin failure error while generating pre-upgrade report for Oracle Identity Manager, skip the failing plugin and re-run pre-upgrade report utility. Raise a Service Request (SR) for the failed plugin. To skip the failed plugin, you must edit the PreUpgrade_Report_Directory
/server/upgrade/UpgradeMetadata.xml
file to remove the failed plugin.
Table 25-2 lists the log messages displayed during plugin failure, and their respective solutions.
Table 25-2 Log Messages for Plugin Failures During Pre-Upgrade Report Generation for OIM
Log Message | Cause | Solution |
---|---|---|
|
Check the |
Edit the |
Table 25-3 provides the list of plugins and reports.
Table 25-3 List of Plugins and Reports
Plugin | Report |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following invalid triggers are found in the Oracle Identity Manager schema:
UD_EBS_RLO_ENT_TRG INVALID UD_EBS_RSO_ENT_TRG INVALID
These are the triggers of Resource Form which are no longer used. Therefore, you can ignore this.
Oracle Identity Manager binary upgrade fails if you are not using the correct OPatch version. The OPatch version supported for Oracle Identity Manager 11.1.2.3.0 is Oracle Interim Patch Installer version 11.1.0.10.3. Therefore, verify the OPatch version before you upgrade Oracle Identity Manager binaries.
For any other issues during Oracle Identity Manager binary upgrade, check the installation log files. For information about locating the installation log files, see "Locating Installation Log Files" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
If Patch Set Assistant (PSA) is stuck for a long time, you can check the block that is currently being executed. The last block at the end of the PSA log file is the block that is currently being executed. The following is the location of the PSA logs:
On UNIX: MW_HOME
/oracle_common/upgrade/logs/psa
<time_stamp>
.log
On Windows: MW_HOME
\Oracle_common\upgrade\logs\psa
<time_stamp>
.log
For any other issues encountered during upgrading schemas using PSA, check the PSA logs, fix the issue, and run the PSA again.
If Upgrade Assistant (UA) fails during Oracle Identity Manager upgrade, check the UA logs at the following location:
On UNIX: ORACLE_HOME
/upgrade/logs/ua
<time_stamp>
.log
On Windows: ORACLE_HOME
\upgrade\logs\ua
<time_stamp>
.log
Fix the issue, and run the UA again.
The Oracle Identity Manager middle tier upgrade utility backs up the domain configuration, before and after middle tier offline upgrade which can be used for debugging. These backed up files are located in the ORACLE_HOME
/server/upgrade/logs/MT/OIMUpgrade_backup/
directory.
You can restore these backups if required.
Table 25-4 lists the backups taken by the OIM middle tier offline upgrade utility.
Table 25-4 Backups Taken by Middle Tier Offline Upgrade Utility
File Name | Description | Timing |
---|---|---|
|
This is the backup of the |
After the OIM middle tier offline execution. |
|
This is the backup of the |
After the OIM middle tier offline execution. |
|
This is the backup of |
Before the OIM middle tier offline execution. |
|
This is the backup of the |
Before the OIM middle tier offline execution. |
|
This is the backup of policies. This back up is taken if you are upgrading OIM 11.1.2.x.x environments. |
Before the OIM middle tier offline execution. |
If Oracle Identity Manager middle tier offline upgrade fails, you must do the following:
Check the HTML reports generated at ORACLE_HOME
/server/upgrade/logs/MT/oimUpgradeReportDir_offline
. If there are any issues, fix them and run the Oracle Identity Manager middle tier offline upgrade tool again.
Check the logs files located at ORACLE_HOME
/server/upgrade/logs/MT/
. For the list of logs generated for Oracle Identity Manager middle tier offline upgrade, see Table 24-11, "Logs Generated for OIM Middle Tier Offline Upgrade". Fix the issue, if any, and re-run the middle offline upgrade.
This section includes the following topics:
For any validation failures during Oracle Identity Manager middle tier offline upgrade, see the log messages listed in Table 25-5 and perform the necessary action.
Table 25-5 Log Messages for Validation Failure During OIM Middle Tier Offline Upgrade
Log Message | Cause | Workaround |
---|---|---|
|
If Database is not up and running. |
Start the Database. |
|
If OIM schema credentials are incorrect. |
Check the OIM schema username and password in the |
|
If Metadata Services (MDS) schema credentials are incorrect. |
Check the MDS schema username and password in the |
|
If Oracle SOA Suite (SOAINFRA) schema credentials are incorrect. |
Check the username and password of the SOAINFRA schema. |
|
If the target version specified in the |
Specify the target version as |
or
or
|
If the WebLogic Administration Server or Oracle SOA Suite Managed Server(s) or Oracle Identity Manager Managed Server(s) are in running state. |
Shut down the WebLogic Administration Server, Oracle SOA Suite Managed Server(s), and Oracle Identity Manager Managed Server(s) before running the OIM middle tier offline upgrade. |
|
If the Domain Home specified in the |
Specify the correct OIM domain home for the property |
|
If the OIM domain directory does not have write permission |
Provide Write permission to the OIM domain home directory. |
|
If |
Delete the |
|
If prerequisite of any plug-in fails. |
Fix the issue for the plugin feature ID |
For any plugin failures during Oracle Identity Manager offline upgrade, do the following for the depending on the log message listed in Table 25-6:
Open the file ORACLE_HOME
/server/upgrade/oim-upgrade-plugin.xml
, and comment out the body of the target mentioned in the Log Message column in Table 25-6.
Launch the WebLogic Scripting Tool (WLST) by running the following command from the location ORACLE_HOME
/common/bin
:
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Run the python command mentioned in column Workaround with the appropriate parameters, for the corresponding log message.
After the python command is successfully executed, resume the OIM middle tier offline upgrade. If it fails, raise a Service Request.
Table 25-6 Log Messages for Validation Failure During OIM Middle Tier Offline Upgrade
Log Message | Ant Log File | Workaround |
---|---|---|
|
|
Run the following command:
In the above command, |
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location For single node environment:
For cluster environment:
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
Table 25-7 lists the log messages for issues other than validation and plugin issues, log filename, and corresponding solutions.
Table 25-7 Other Failures During OIM Middle Tier Offline Upgrade
Log Message | Ant Log File / Cause | Workaround |
---|---|---|
|
|
Run the following java commands:
|
|
Complete the following steps:
|
|
|
BIP plugin fails with error in log file:
|
Run the following command from the location
|
|
BIP plugin fails with error in log file:
|
Run the following command from the location
|
|
If some plugins are not populated in the |
Run OIM middle tier offline upgrade or disable the plugins that are not populated in the |
|
|
This warning can be ignored. |
|
This warning is displayed on the console during reconciliation feature upgrade. |
This warning can be ignored. |
Command FAILED, Reason: JPS-00027: There was an internal error: java.sql.SQLException: ORA-12801: error signaled in parallel query server P001 ORA-01460: unimplemented or unreasonable conversion requested oracle.security.jps.internal.api.common.JpsPolicyStoreLdapNodeCreationExceptio n: JPS-00027: There was an internal error: java.sql.SQLException: ORA-12801: error signaled in parallel query server P001 ORA-01460: unimplemented or unreasonable conversion requested |
This error occurs when you upgrade Oracle Identity Manager 11g Release 2 (11.1.2.1.0) with Bundle Patch. |
To resolve this issue, either apply Patch 13099577 or use the following workaround: Set the properties For example: parallel_max_servers integer 0 parallel_min_servers integer 0 |
Some properties are auto-discovered by the Oracle Identity Manager middle tier upgrade utility to reduce the number of properties that you need to specify manually during upgrade. When the middle tier upgrade for OIM is run for the first time, Autodiscovery.properties file is created at the location ORACLE_HOME
/server/upgrade
. This file contains the following parameters that are auto-discovered by the middle tier upgrade utility:
opssDBSslArgs
opssjdbcDriverName
is_cluster_oim
soaProtocol
oim_target
weblogicProtocol
OPSSSchemaPassword
<encrypted value>
opssUser
opssUrl
soa_target
admin_target
Autodiscovery module is executed and the Autodiscovery.properties
file is created only the first time the middle tier upgrade script is run. Once this file is created, autodiscovery is not executed again. Next time when you run the middle tier upgrade script, the properties are read from the existing Autodiscovery.properties
file.
If you encounter any issues during OIM middle tier upgrade, review the properties in the Autodiscovery.properties
file and verify if the values are correct. If any of the values are incorrect, update them and run the middle tier upgrade utility again.
If you want all of the properties to be auto discovered again, remove the Autodiscovery.properties
file from the directory ORACLE_HOME
/server/upgrade
, and run the Oracle Identity Manager middle tier upgrade (online or offline) again.
If Oracle Identity Manager middle tier online upgrade fails, you must do the following:
Check the HTML reports generated at ORACLE_HOME
/server/upgrade/logs/MT/oimUpgradeReportDir_online
.
Check the following logs files generated at ORACLE_HOME
/server/upgrade/logs/MT/
:
OIMUpgrade_online
<timestamp>
.log
ant_createUserInSecurityRealm_BISystemUser.log
ant_updateBIPJmsSecurity.log
ant_importOwSMPolicySCIM.log
This section includes the following topics:
For any validation failures during Oracle Identity Manager middle tier online upgrade, see the log messages listed in Table 25-8 and perform the necessary action.
Table 25-8 Log Messages for Validation Failure During OIM Middle Tier Online Upgrade
Log Message | Cause | Workaround |
---|---|---|
|
If the value specified for Administration Server host property in the |
Update the correct value for Administration Server host property in the |
|
If the values specified for SOA Server properties are incorrect in the |
Update the correct value for SOA server properties in the |
|
If some plugins are not upgraded. |
Disable the plugins in the |
|
If prerequisite of any plug-in fails. |
Fix the issue for the plugin feature ID |
For any plugin failures during Oracle Identity Manager online upgrade, do the following for the depending on the log message listed in Table 25-9:
Open the file ORACLE_HOME
/server/upgrade/oim-upgrade-plugin.xml
, and comment out the body of the target mentioned in the Log Message column in Table 25-9.
Launch the WebLogic Scripting Tool (WLST) by running the following command from the location ORACLE_HOME
/common/bin
:
Run the python command mentioned in column Workaround with the appropriate parameters, for the corresponding log message.
After the python command is successfully executed, resume the OIM middle tier online upgrade. If it fails, raise a Service Request.
Table 25-9 Log Messages for Validation Failure During OIM Middle Tier Online Upgrade
Log Message | Ant Log File | Workaround |
---|---|---|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
|
|
|
Run the following command from the location
In case of SSL environment, use the following properties as well:
|
If you encounter any issues related to Metadata Services (MDS) patching, check the MDS patching reports generated at the following location:
On UNIX: ORACLE_HOME
/server/logs/MDS_REPORT_DIRECTORY/MDSReport.html
On Windows: ORACLE_HOME
\server\logs\MDS_REPORT_DIRECTORY\MDSReport.html
For information about re-running MDS patching, see My Oracle Support Document ID 1536894.1.
If any of the MDS documents are not merged correctly, merge them manually from the following locations:
On UNIX:
ORACLE_HOME
/server/logs/
sourceDir
- This is the OOTB MDS data location.
ORACLE_HOME
/server/logs/
targetDir
- This is the target MDS data location.
On Windows:
ORACLE_HOME
\server\logs\
sourceDir
- This is the OOTB MDS data location.
ORACLE_HOME
\server\logs\
targetDir
- This is the target MDS data location.
If you encounter the following JDBC error, add an additional environment variable TZ, which is the time zone name, like GMT.
ORA-01882: timezone region not found
The environment variable has to be set with older database or you will get an error.
For more information, see My Oracle Support Document ID 1068063.1.
After you upgrade Oracle Identity Manager 11.1.1.5.0 high availability environments to Oracle Identity Manager 11.1.2.3.0, you might see the following exception in the logs when you create users:
[2013-11-19T23:41:51.507-08:00] [oim_server1] [ERROR] [] [oracle.ods.virtualization.exception] [tid: UCP-worker-thread-19] [userId: oiminternal] [ecid: 004utMMAEYz1VcP5Ifp2if00023p000Tdf,0] [APP: oim#11.1.1.3.0] Could not initialize default mapping config[[ javax.xml.bind.UnmarshalException - with linked exception: [java.io.FileNotFoundException: /scratch/Oracle/Middleware/user_projects/domains/IDMDomain/config/fmwconfig/ovd/oim/mappings.os_xml (No such file or directory)
This does not cause the user creation task to fail. However, to eliminate this exception, you must manually copy the file mappings.os_xml
from the location $MW_HOME
/oracle_common/modules/oracle.ovd_11.1.1/templates/mappings.os_xml
to the directory $DOMAIN_HOME
/config/fmwconfig/ovd/oim
.
If any of the Oracle Identity Manager features are not upgraded during the Oracle Identity Manager middle tier upgrade, check the upgrade reports generated at the following location:
Middle tier offline upgrade reports: ORACLE_HOME
/upgrade/logs/MT/oimUpgradeReportDir_offline/index.html
Middle tier online upgrade reports: ORACLE_HOME
/upgrade/logs/MT/oimUpgradeReportDir_online/index.html
To re-run the middle tier upgrade for a specific feature after analyzing and fixing the cause of failure, set the force option of the specific feature upgrade plugin to true
or false
accordingly in the UpgradeMetadata.xml
file located at ORACLE_HOME
/server/upgrade/
.
Oracle Identity Manager upgrade provides control points in the oimupgrade.properties
file located at ORACLE_HOME
\server\bin
. If any feature upgrade fails, you can continue with the upgrade by disabling the failed feature by setting the corresponding feature upgrade property to false
. To enable a specific feature for upgrade, you must the property to true
.
By default, all the properties are set as true
.
Set the following property to false
if you do not want to run Oracle Identity Manager configuration upgrade:
oim.ps1.config.patch=true
Set the following property to false
if you do not want to run SOA composite upgrade:
oim.ps1.soacomposite.patch=true
Set the following property to false
if you do not want to run Patch JNDI provider:
oim.domainextension.jndiprovider.patch=true
Set the following property to false
if you do not want to run Patch ClassPath:
oim.domainextension.classpath.patch=true
Set the following property to false
if you do not want to run Patch OPSS:
oim.domainextension.opss.patch=true
Set the following property to false
if you do not want to run Patch ears:
oim.domainextension.ear.patch=true
Set the following property to false
if you do not want to run Patch JRF:
oim.domainextension.jrf.patch=true
This section describes how to check a new data source added, SOA Foreign JNDI provider, and the order of EARs on the WebLogic Administration Console.
To check the new data source added, do the following:
Log in to WebLogic Administration Console using the following URL:
http://
host
:
port
/console
Click Data Sources.
Verify the data source given below:
Name | Type | JNDI Name | Targets |
---|---|---|---|
ApplicationDBDS | Generic | jdbc/ApplicationDBDS |
oim_server1 (for single node upgrade)
|
To check for SOA Foreign JNDI provider, do the following:
Log in to WebLogic Administration Console using the following URL:
http://
host
:
port
/console
Click Foreign JNDI Providers.
Verify the existence of Foreign JNDI providers given below:
Name | Initial Context Factory | Provider URL | User | Targets |
---|---|---|---|---|
ForeignJNDIProvider-SOA | weblogic.jndi.WLInitialContextFactory | For single node upgrade:
For cluster upgrade:
|
WebLogic | oim_server1 (for single node upgrade)
|
Note:
If you are upgrading Oracle Identity Manager High Availability environments, the Provider URL may contain the host and port ofsoa_server1
only. In that case, you must add the host and port of soa_server2
to the Provider URL manually.To check the order of the EARs, do the following:
Log in to WebLogic Administration Console using the following URL:
http://
host
:
port
/console
Click Deployments.
Verify the deployment order for the following list respectively:
Name | State | Health | Type | Deployment Order |
---|---|---|---|---|
oim (11.1.1.3.0) | Active | OK | Enterprise Application | 48 |
OIMAppMetadata (11.1.2.0.0) | Active | OK | Enterprise Application | 47 |
OIMMetadata (11.1.1.3.0) | Active | OK | Enterprise Application | 46 |
oracle.iam.console.identity.sysadmin.ear (V2.0) | Active | OK | Enterprise Application | 406 |
oracle.iam.console.identity.self-service.ear (V2.0) | Active | OK | Enterprise Application | 405 |
oracle.iam.ui.custom(11.1.1,11.1.1) | Active | Library | 404 | |
oracle.iam.ui.oia-view(11.1.1,11.1.1) | Active | Library | 403 | |
oracle.iam.ui.view(11.1.1,11.1.1) | Active | Library | 402 | |
oracle.iam.ui.model(1.0,11.1.1.5.0) | Active | Library | 401 |
After you upgrade Oracle Identity Manager middle tier in an Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager integrated highly available environment, when you start the Administration Server, the following exception is displayed in the AdminServer.log
file:
<Warning> <RMI> <slc04ugw> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <1f1bf9f1ae475b6d:25e02b64:14c48129185:-8000-0000000000000005> <1427138521873> <BEA-080003> <RuntimeException thrown by rmi server: javax.management.remote.rmi.RMIConnectionImpl.getAttribute(Ljavax.management.O @ bjectName;Ljava.lang.String;Ljavax.security.auth.Subject;) java.lang.NullPointerException. java.lang.NullPointerException at java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:768) at weblogic.management.mbeanservers.internal.JMXContextInterceptor.getMBeanContex tLoader(JMXContextInterceptor.java:475) at weblogic.management.mbeanservers.internal.JMXContextInterceptor.getAttribute(J MXContextInterceptor.java:146)
This warning can be ignored.
After upgrading Oracle Identity Manager in an Oracle Identity Manager, Access Manager, and Oracle Adaptive Access Manager integrated environment, if Oracle Identity Manager incremental reconciliation is not working, complete the following steps:
Disable all of the incremental reconciliation jobs (total 6 in all), if not already disabled.
Run the following full reconciliation jobs:
LDAP Role Delete Full Reconciliation
LDAP User Delete Full Reconciliation
LDAP Role Create and Update Full Reconciliation
LDAP Role Hierarchy Full Reconciliation
LDAP User Create and Update Full Reconciliation
LDAP Role Membership Full Reconciliation
Get the latest changelog from Oracle Unified Directory (OUD) by using the following command:
ldapsearch -h
OUD_HOST
-p
OUD_PORT
-D "cn=Directory Manager" -w
PASSWORD
-b "" -s base "objectclass=*" lastExternalChangelogCookie
In the above command,
OUD_HOST
refers to the host on which OUD is running.
OUD_PORT
refers to the port of the OUD.
Update all the six incremental reconciliation jobs with the changelog value and enable them.
After you perform Oracle Identity Manager middle tier online upgrade, you may not be able to access pending approvals if you had accessed "Pending Approvals" page on the browser before upgrading OIM middle tier.
The workaround for this issue is to clear out the browser cache and access the pending approvals again.
The following exception is seen in the MT logs when you upgrade Oracle Platform Security Services using upgradeOpss
command:
java.util.MissingResourceException: Can't find bundle for base name oracle.adf.share.wlst.resources.WlstHelp, locale en_US Error execing the Python script "C:\work\mw748\oracle_common\common\wlst\mdsWLSTCommands.py" caused an error "Traceback (innermost last): File "C:\work\mw748\oracle_common\common\wlst\mdsWLSTCommands.py", line 108, in ? ImportError: no module named common " Error execing the Python script "C:\work\mw748\oracle_common\common\wlst\URLConnWLST.py" caused an error "Traceback (innermost last): File "C:\work\mw748\oracle_common\common\wlst\URLConnWLST.py", line 12, in ? ImportError: no module named wlst
This exception is seen in the following logs:
ant_Update_setDomainEnv.log
ant_UpgardeJRF.log
ant_configureSecurityStore.log
ant_extendOPSSDomain.log
ant_isClusterOIM.log
This exception can be ignored.
Oracle Identity Manager middle tier online upgrade fails in examine phase in SSL environment with the following error, even though the WebLogic Server is up and running:
"Could not connect to admin server with details <host>:<port>"
The workaround for this issue is as follows:
Remove OIM_HOME
/server/upgrade/Autodiscovery.properties
file.
Re run the middle tier online upgrade.
When you upgrade Oracle Identity Manager 11.1.2.2.0, OIM schema upgrade fails with the following error, if the Oracle Identity Manager database contains access policies:
oracle.iam.oimupgrade.exceptions.OIMUpgradeException: SQL Exception in running Upgrade Scripts at oracle.iam.oimupgrade.onehop.SchemaUpgradeManager.upgrade(SchemaUpgradeManager .java:281) ... Caused by: java.sql.SQLException: ORA-22160: element at index [438] does not exist ORA-06512: at line 66
The workaround for this issue is as follows:
After you upgrade the Oracle Identity Manager binaries to 11.1.2.3.0, open the oim_upg_R2PS2_R2PS3_common_policy_engine.sql
file located at OIM_HOME
/server/db/oim/oracle/Upgrade/oim11gR2PS2_2_R2PS3
, in a text editor.
Replace the line# 280:
EXECUTE IMMEDIATE sqlstr USING v_pol_owner(idx);
with
EXECUTE IMMEDIATE sqlstr USING v_pol_owner_type(idx);
Save the modified file, and run the schema upgrade.
OPSS authorization may fail for some OIM operations after you upgrade OIM to 11.1.2.3 from an older release. For example, you may find that OIM PS policy is not seeded to the OPSS policy store.
The workaround for this issue is as follows:
Backup the existing JAZN data from MDS.
Upgrade OIM.
Re-seed the JAZN data from the backup.
For detailed procedure, see Doc ID 2138965.1 on My Oracle Support.
This section describes the workaround for the common issues that you may encounter during the Oracle Access Manager upgrade process. This section includes the following topics:
Exception While Accessing OAM Console Before Upgrading System Configuration
PolicyValidationException While Restarting Administration Server
Errors While Starting the Administration Server After Upgrade
Post Authentication Rules Tab is Disabled on Oracle Access Management Console After Upgrade
.oamkeystore File Size Reduced to 0 Byte After Extending the OAM Domain
During Oracle Access Manager 11.1.1.x.x upgrade, if you get a class not found
exception, it is because you have not exited from the WLST console after running the exportAccessData
command.
Exit the WLST console using the exit()
command.
During Oracle Access Manager 11.1.1.x.x upgrade, when you try to access the Oracle Access Management Access Manager Administration Console before you upgrade system configurations as described in Section 12.16, "Upgrading System Configuration", the following exceptions are seen in the WebLogic Domain log file:
<Error> <oracle.oam.proxy.oam> <ADC2120940> <oam_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <b65aed48d5cfc0f4:25dd78c3:14b85e72198:-8000-00000000000033cc> <1423899074190> <OAM-04020> <Exception encountered while processing the request message: oracle.security.am.proxy.oam.requesthandler.OAMProxyException: Event Response status is STATUS_FAIL for GET_AUTHN_SCHEME event. Error code OAM-02073 status fail isExcluded false at oracle.security.am.proxy.oam.requesthandler.NGProvider.checkProtected(NGProvid er.java:4851)
<Error> <oracle.oam.agent-default> <OAMAGENT-00411> <Failed to access server: MajorCode: FATAL_ERROR, MinorCode: FATAL_ERROR> <Feb 13, 2015 11:31:14 PM PST> <Warning> <oracle.oam.agent-default> <OAMAGENT-00410> <OAM Server can not be accessed, fallback to container policy: OpCode = 1 [IsResrcOpProtected], Returned Status = Major code: 3(FatalError) Minor code: 2(NoCode) , extraInfo = [prefHost:IAMSuiteAgent, resource:/oamconsole/afr/alta-v1/dialog_close_ena.png]> <Feb 13, 2015 11:31:14 PM PST> <Error> <oracle.oam.agent-default> <BEA-000000> <OAM Server fatal error: OpCode = 1 [IsResrcOpProtected], Returned Status = Major code: 3(FatalError) Minor code: 2(NoCode) , extraInfo [prefHost:IAMSuiteAgent resource:/oamconsole/afr/alta-v1/dialog-resize-se.png]> <Feb 13, 2015 11:31:14 PM PST> <Error> <oracle.oam.agent-default> <OAMAGENT-00411> <Failed to access server: MajorCode: FATAL_ERROR, MinorCode: FATAL_ERROR> <Feb 13, 2015 11:31:14 PM PST> <Warning> <oracle.oam.agent-default> <OAMAGENT-00410> <OAM Server can not be accessed, fallback to container policy: OpCode = 1 [IsResrcOpProtected], Returned Status = Major code: 3(FatalError) Minor code: 2(NoCode) , extraInfo = [prefHost:IAMSuiteAgent, resource:/oamconsole/afr/alta-v1/d ialog-resize-se.png]>
This is because compatibility mode is not supported for Oracle Access Manager 11.1.1.x.x upgrade. Therefore, it is mandatory to upgrade the system configurations in order to complete the Access Manager upgrade process.
The issue described in this section will be resolved after upgrading the system configurations by running the WLST command upgradeConfig()
as described in Section 12.16, "Upgrading System Configuration".
If you get the following exception when you deploy sdpclient.jar
application, then the SDP library is already installed.
<Month <Date>, <Year> <Time> <Time ZOne> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating deploy operation for application, oracle.sdp.client#11.1.1@11.1.1 [archive: <ORACLE_HOME>/communications/modules/oracle.sdp.client_11.1.1/sdpclient.jar], to oam_server1 .> weblogic.management.ManagementException: [Deployer:149007]New source location, '<ORACLE_HOME>/communications/modules/oracle.sdp.client_11.1.1/sdpclient.jar', cannot be deployed to configured application, 'oracle.sdp.client [LibSpecVersion=11.1.1,LibImplVersion=11.1.1]'. The application source is at '<ORACLE_SOA_HOME>/communications/modules/oracle.sdp.client_11.1.1/sdpclient.jar'. Changing the source location is not allowed for a previously attempted deployment. Try deploying without specifying the source.Failed to deploy the application with status failed Current Status of your Deployment: Deployment command type: deploy Deployment State : failed Deployment Message : weblogic.management.ManagementException: [Deployer:149007]New source location, '<ORACLE_HOME>/communications/modules/oracle.sdp.client_11.1.1/sdpclient.jar', cannot be deployed to configured application, 'oracle.sdp.client [LibSpecVersion=11.1.1,LibImplVersion=11.1.1]'. The application source is at '<ORACLE_SOA_HOME>/communications/modules/oracle.sdp.client_11.1.1/sdpclient.jar'. Changing the source location is not allowed for a previously attempted deployment. Try deploying without specifying the source. Error occured while performing deploy : Target exception thrown while deploying application: Error occured while performing deploy : Deployment Failed. : Error occured while performing deploy : Deployment Failed. Use dumpStack() to view the full stacktrace Deploying application from <ORACLE_HOME>/oam/server/apps/oam-admin.ear to targets AdminServer (upload=false) ...
Complete the following steps to recover:
Log into the WebLogic console.
Check for the following library:
oracle.sdp.client(11.1.1,11.1.1)
Target this library to oam_server1
Run the following command:
deployOAMServer("<ORACLE_HOME>",adminTarget="AdminServer",serverTarget="oam_server1")
If you get the following error after the Access Manager server deployment, it is because the tmp
and stage
directories still exist in your environment.
Ignore it:
[HTTP:101216]Servlet: "AMInitServlet" failed to preload on startup in Web application: "oam". java.lang.ExceptionInInitializerError at java.lang.J9VMInternals.initialize(J9VMInternals.java:222) at oracle.security.am.engines.sso.adapter.AbstractSessionAdapterImpl.checkAndInit(AbstractSessionAdapterImpl.java:97) at oracle.security.am.engines.sso.adapter.AbstractSessionAdapterImpl.<init>(AbstractSessionAdapterImpl.java:75) at oracle.security.am.engines.sso.adapter.MultipleUserSessionAdapterImpl.<init>(MultipleUserSessionAdapterImpl.java:56) at oracle.security.am.engines.sso.adapter.MultipleUserSessionAdapterImpl.<clinit>(MultipleUserSessionAdapterImpl.java:45) at java.lang.J9VMInternals.initializeImpl(Native Method) at java.lang.J9VMInternals.initialize(J9VMInternals.java:200) at oracle.security.am.engines.sso.adapter.SessionManagementAdapterFactory.getAdapter(SessionManagementAdapterFactory.java:46)
During Oracle Access Manager 11.1.1.x.x upgrade, when you restart the Administration Server, the following error occurs if the 11.1.2.3.0 Repository Creation Utility is not new and has data.
oracle.security.am.common.policy.admin.impl.PolicyValidationException: OAMSSA-06045: An object of this type named "HTTP" already exists. at oracle.security.am.common.policy.admin.impl.ResourceTypeManagerImpl.isValidWrite(ResourceTypeManagerImpl.java:482) at oracle.security.am.common.policy.admin.impl.ResourceTypeManagerImpl.createResourceType(ResourceTypeManagerImpl.java:165) at oracle.security.am.common.policy.tools.OAMPolicyStoreBootstrap.createResourceType(OAMPolicyStoreBootstrap.java:554) at oracle.security.am.common.policy.tools.OAMPolicyStoreBootstrap.addOAMObjs(OAMPolicyStoreBootstrap.java:328) at oracle.security.am.common.policy.tools.OAMPolicyStoreBootstrap.addPolicyObjects(OAMPolicyStoreBootstrap.java:280) at oracle.security.am.common.policy.tools.OAMPolicyStoreBootstrap.bootstrap(OAMPolicyStoreBootstrap.java:233) at oracle.security.am.install.OAMInstaller.bootstrapOES(OAMInstaller.java:1064) at oracle.security.am.install.OAMInstaller.bootstrapPolicy(OAMInstaller.java:1423) at oracle.security.am.install.OAMInstaller.upgradePolicy(OAMInstaller.java:1513)
Check if a new Repository Creation Utility schema is created for Access Manager. Also check if the domain has been updated to use the new 11.1.2.3.0 Repository Creation Utility.
After you upgrade Oracle Access Manager 11.1.1.x.x to 11.1.2.3.0, when you restart the Access Manager Managed Server, you might see the following error if the folders tmp
and stage
still exist:
Caused by: com.bea.security.ParameterException: Invalid configuration: cannot locate class: com.bea.security.ssal.micro.MicroSecurityServiceManagerWrapper at com.bea.security.impl.SecurityRuntimeImpl.getNewInstance(SecurityRuntimeImpl.java:263) at com.bea.security.impl.SecurityRuntimeImpl.initialize(SecurityRuntimeImpl.java:313) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.bea.security.SecurityRuntime.initialize(SecurityRuntime.java:140) at com.bea.security.impl.MicroSMImpl.getInstance(MicroSMImpl.java:167)
This error is resolved once you remove the tmp
and stage
folders, as instructed in Section 12.15, "Deleting Folders".
This issue occurs during the following upgrade scenarios:
If you upgraded Oracle Access Manager 11g Release 1 (11.1.1.5.0) to Access Manager 11.1.2.3.0
If you upgraded Oracle Access Manager 11g Release 1 (11.1.1.5.0) to 11g Release 2 (11.1.2) first, and then to Access Manager 11.1.2.3.0
If the component versions of the packages oracle.dogwood.top
and oracle.oam.server
show 11.1.1.5.0 after upgrade, run the domain updater utility (com.oracle.cie.domain-update_1.0.0.0.jar
) to update the domain-info.xml
.
To upgrade the necessary Oracle Access Manager packages to 11.1.2.3.0, complete the following steps:
Go to the directory $ORACLE_HOME
/oaam/upgrade
. The domain updater utility com.oracle.cie.domain-update_1.0.0.0.jar
file is located in this directory.
Upgrade the package oracle.dogwood.top
11.1.1.5.0 to 11.1.2.3.0 by running the following command:
java -cp
$MW_HOME
/utils/config/10.3/config-launch.jar:./com.oracle.cie.domain-update_1.0.0.0.jar com.oracle.cie.external.domain.DomainUpdater
<DOMAIN_HOME>
oracle.dogwood.top:11.1.1.5.0,:11.1.2.3.0
For example:
java -cp /scratch/Oracle/Middleware/utils/config/10.3/config-launch.jar:./com.oracle.cie.domain-update_1.0.0.0.jar com.oracle.cie.external.domain.DomainUpdater /scratch/Oracle/Middleware/user_projects/domains/OAMDomain oracle.dogwood.top:11.1.1.5.0,:11.1.2.3.0
Upgrade the package oracle.oam.server
11.1.1.5.0 to 11.1.2.3.0 by running the following command:
java -cp
$MW_HOME
/utils/config/10.3/config-launch.jar:./com.oracle.cie.domain-update_1.0.0.0.jar com.oracle.cie.external.domain.DomainUpdater
<DOMAIN_HOME>
oracle.oam.server:11.1.1.5.0,:11.1.2.3.0
For example:
java -cp /scratch/Oracle/Middleware/utils/config/10.3/config-launch.jar:./com.oracle.cie.domain-update_1.0.0.0.jar com.oracle.cie.external.domain.DomainUpdater /scratch/Oracle/Middleware/user_projects/domains/OAMDomain oracle.oam.server:11.1.1.5.0,:11.1.2.3.0
When you start the WebLogic Administration Server after you upgrade Access Manager to 11.1.2.3.0, you might see the following errors:
<Error> <Default> <BEA-000000> <Failed to communicate with any of configured Access Server, ensure that it is up and running.> <Error> <Default> <BEA-000000> <Failed to communicate with any of configured Access Server, ensure that it is up and running.> <Warning> <oracle.oam.agent-default> <OAMAGENT-00410> <OAM Server can not be accessed, fallback to container policy: fetchConfig failed, will keep trying ...>
This happens when the Administration Server is operational and the Access Manager Managed Servers are yet to be started.
You can ignore this error.
<Error> <oracle.mds> <BEA-000000> <exception thrown failed getMBeanServernull>
This error can be ignored.
The upgradeConfig()
command performs policy operations to seamlessly migrate the policy stores. This requires higher memory. Therefore, if you see encounter memory issues while running upgradeConfig()
command, do the following to increase the memory:
Go to the directory WL_HOME
/common/bin
, and open the wlst.sh
file in an editor.
Update the memory argument in wlst.sh
file with the following value:
MEM_ARGS="-Xms1024m -Xmx2048m -XX:MaxPermSize=1024m"
Save the wlst.sh
file, and rerun the upgradeConfig()
command.
If you are performing upgrade on IPV6 machine, complete the following steps to resolve memory issues:
Go to the directory WL_HOME
/common/bin
, and open the wlst.sh
file in an editor.
Update JVM_ARGS
to include -Djava.net.preferIPv4Stack=true
argument as shown in the following example:
JVM_ARGS="-Dprod.props.file='${WL_HOME}'/.product.properties -Djava.net.preferIPv4Stack=true ${WLST_PROPERTIES} ${JVM_D64} ${MEM_ARGS} ${CONFIG_JVM_ARGS}"
Save the wlst.sh
file, and rerun the upgradeConfig()
command.
After you upgrade Oracle Access Manager 11.1.1.x.x to Access Manager 11.1.2.3.0, if you see a null exception while creating Identity Directory Service (IDS) or Enterprise Single Sign-On (ESSO) profile, do the following:
Create the directory DOMAIN_HOME
/config/fmwconfig/ovd/ids
.
Copy all the files from the directory MW_HOME
/oracle_common/modules/oracle.ovd_11.1.1/domain_config/ovd/ids/
to DOMAIN_HOME
/config/fmwconfig/ovd/ids/
by running the following command:
cp
MW_HOME
/oracle_common/modules/oracle.ovd_11.1.1/domain_config/ovd/ids/*
to
DOMAIN_HOME
/config/fmwconfig/ovd/ids/
Copy the file ovd-ids-mbeans.xml
from the location MW_HOME
/oracle_common/modules/oracle.ovd_11.1.1/domain_config/mbeans
to DOMAIN_HOME
/config/fmwconfig/mbeans/
by running the following command:
cp
MW_HOME
/oracle_common/modules/oracle.ovd_11.1.1/domain_config/mbeans/ovd-ids-mbeans.xml
DOMAIN_HOME
/config/fmwconfig/mbeans/
Update the Credential Store Framework (CSF) for IDS by running the following command from the location MW_HOME
/oracle_common/bin/
:
libovdconfig.sh -domainPath
DOMAIN_HOME
-contextName ids -host
AdminServer_host
-port
AdminServer_port
-userName
AdminServer_username
In this command,
DOMAIN_HOME
is the absolute path to the Access Manager domain.
AdminServer_host
is the hostname of the WebLogic Administration Server.
AdminServer_port
is the port of the WebLogic Administration Server.
AdminServer_username
is the username of the WebLogic Administration console.
Restart the WebLogic Administration Server and the Access Manager Managed Server(s).
For information about stopping the servers, see Section 24.1.9, "Stopping the Servers". For information about starting the servers, see Section 24.1.8, "Starting the Servers".
The Post Authentication Rules tab is disabled post-upgrade. The post authentication rules part of the Adaptive Authentication Services in 11.1.2.3.0. Therefore, you must explicitly enable the Adaptive Authentication Services post-upgrade, if required.
For information about enabling and using the Adaptive Authentication Services, see "Using the Adaptive Authentication Service" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
When you upgrade Oracle Access Manager 11.1.1.x.x to 11.1.2.3.0, the following exception is seen when you import the access data using importAccessData
command:
OutOfMemoryError SEVERE: Could not get an access to PolicyAdmin java.lang.NullPointerException
To resolve this, complete the following steps:
Open the oam_upgrade.properties
file located at ORACLE_HOME
/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties
, in a text editor.
Remove the line OAM_OFFLINE_POLICY_MIGRATION=true
or set the value of this attribute to false
.
Run the command importAccessData()
to import the access data.
After you extend the OAM domain during the upgrade from 11.1.2.1.0 to 11.2.1.3.0, the .oamkeystore file size reduces to zero.
To resolve this, complete the following steps:
Take a backup of the .oamkeystore file before extending the domain. The .oamkeystore file is located in the DOMAIN_HOME
/config/fmwconfig
directory.
Extend the OAM domain.
Restore the .oamkeystore file.
Start the servers and processes.
When you upgrade OAM from R2PS2 to R2PS3, the upgradeConfig fails with the following error:
oracle.security.am.upgrade.framework.psfe.plugin.PolicyEntityPlugin process
SEVERE: Exception while running PSFE PolicyEntityPlugin : java.lang.NullPointerException at oracle.security.am.common.policy.admin.impl.PolicyUtil.cleanUpPolicy(PolicyUtil.java:2002
To fix this issue, set OAMEntityStoreR2PS3=true in the UpgradeConfig.properties file.