This chapter describes issues associated with the installation and configuration process of Oracle Identity and Access Management 11g Release 2 (11.1.2.3). It includes the following sections:
This section describes installation issues and workarounds. It includes the following topics:
While preparing the hosts for IDM deployment using IDMLCM tool, you must install the Linux lsb_release packages. In the absence of the lsb Linux packages, pre-verify if the respective host fails and the failure can be confirmed from the log file IDMLCM_HOME/provisioning/logs/<machine-name>/healthcheck-error/logs/healthchecker/IDM_<machine-name>-PreInstallChecks_mandatory_<timestamp>.log
The log file has an error similar to:
java.util.concurrent.ExecutionException: java.io.IOException: Cannot run program "lsb_release": error=2, No such file or directory
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
If IDMLCM is used for deployment and if a user prepares and configures the directory manually (not using the option Prepare Directory using IDMLCM), it is recommended to configure the system users and groups with the same names that is shipped in the sample input file for preparing directories.
This file is available at idmlcm_home/existing_directory/idmtools/input_parameters.properties
.
If non-compliant with the suggested user and group names you might encounter an error or failure during the deployment.
Note:
It is recommended that you use the same usernames and Groupnames as per the file and it is not required that the domain be the same.For example, cn=oamLDAP,dc=oracle,dc=com instead of cn=oamLDAP,dc=example,dc=com.Apart from the above Known Issues, this section also describes the following topics:
Note:
Theprov_run
command performs the entire deployment automatically. This is only supported if you are using the prov_run
command to perform the deployment. If you are running the deployment manually using the runIAMDeployment
commands then IDMLCM directory preparation is not supported.When you try to install Oracle SOA Suite and Oracle Identity and Access Management on SUSE Linux Enterprise Server 10 Service Pack (SP) 3+, the system prerequisite check for the compat-libstdc++-5.0.7
package fails because this package is missing on your system.
After the other system requirements have been met, you can safely ignore this system prerequisite check for the compat-libstdc++-5.0.7
package by specifying -ignoreSysPrereqs
when you start the installer.
./runInstaller -ignoreSysPrereqs
During the Oracle Identity and Access Management 11g Release 2 (11.1.2) installation, you may see Opatch errors when the installer applies one-off patches. The following errors are displayed in the logs:
Error-1
OPatch failed with error code 39 ] stderr=[[ Error during Prerequisite for apply Phase]. Detail: OPatch failed during prerequisite checks: Prerequisite check "CheckPatchApplicableOnCurrentPlatform" failed. Prerequisite check "CheckApplicable" failed. ]
Description and Workaround:
These are warning messages which can be ignored.
Error-2
OPatch failed with error code 25 ] stderr=[[ Error during Oracle Home discovery Phase]. Detail: OPatch failed: ApplySession failed to prepare the system. To run in silent mode, OPatch requires a response file for Oracle Configuration Manager (OCM). Please run "/scratch/FMW_OAM/Oracle_OAM/OPatch/ocm/bin/emocmrsp" to generate an OCM response file. The generated response file can be reused on different platforms and in multiple OPatch silent installs. To regenerate an OCM response file, Please rerun "/scratch/FMW_OAM/Oracle_OAM/OPatch/ocm/bin/emocmrsp".
When you run the healthcheck on Solaris 11 during installation, it fails to detect any missing packages. Solaris 11 doesn't have usrucbps
pre-installed by default. As a result, it uses the /usr/ucb/ps -auxwww
command to check whether the Node Manager has started properly or not, and fails at this stage.
To resolve this issue, run the following command before you install OIM:
pkg install compatibility/ucb
This section describes configuration issues and workarounds. It includes the following topics:
Section 2.2.3, "Password for OAM Schema on Oracle Database 11g Expires Every 180 Days"
Section 2.2.5, "Coherence Request Timeout Exception during Service Start"
Note:
In certain scenarios, the IDM R2PS3 deployment using IDMLCM tool, the Oracle Unified Directory ACIs may not be updated in all OUD instances. After the deployment, check the OUD_ORACLE_INSTANCE/OUD/config/config.ldif file on all OUD instances for the presence of ACIs mentioned in section Update Oracle Unified Directory ACIs for LDAP Synchronization of the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity and Access Management document.When you enable the Identity auditor feature in OIM, perform the following configuration changes for the OIM-BI Publisher integration to work fine.
Login to IAMGovernanceDomain Enterprise management console.
Open the system MBean browser and update the MBean:
oracle.iam:Location=wlsoim1,name=Discovery,type=XMLConfig.DiscoveryConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0
with value as http://igdadmin.example.com/, where igdadmin.example.com is the Governance Domain admin Load balancer URL.
If you have configured Microsoft Active Directory as the LDAP directory in an integrated, Oracle Identity Manager (OIM), Oracle Access Manager (OAM), and Oracle Mobile Security Suite (OMSS) environment, then any user roles created in OIM will not be recognized by OAM or OMSS.
For example, if you log in to the OIM Console and create a new role called, "omssrole," and then you log into the OAM Console and search for that role, the role will not be found.
The workaround to this problem is to configure OIM so that it sets the sAMAccountName
attribute to the same value as the CN
attribute for each of the groups that it creates in the Active Directory instance. This workaround must be applied before creating any new roles in OIM.
Open a new terminal window on the host where OIM is installed.
Connect to OIM Governence domain Administration Server.
For example:
WL_HOME/server/bin/setWLSEnv.sh WL_HOME/common/bin/wlst.sh wls:/offline> connect ("weblogic", "admin_password", "t3://OIMHOST.example.com:7001")
Enter the following WLST command to add the sAMAccountName
attribute to all groups in the directory:
wls:/IAMGovernanceDomain/serverConfig> addPluginParam(adapterName='dir1',pluginName='UserManagement', paramKeys='addAttribute',paramValues='group, samaccountname=%cn%',contextName='oim')
Exit from WLST and locate the following file in the Domain home directory:
DOMAIN_HOME/config/fmwconfig/ovd/oim/adapters.os_xml
Verify that the following entry has been added to the adapters.os_xml file:
<ns2:param name="addAttribute" value="group,samaccountname=%cn%"/>
Restart the OIM Managed Server (for example, wls_oim1).
When you attempt to start the WebLogic Administration Server on Windows after installing and configuring Oracle Identity and Access Management, the Administration Server might fail to start with a java.sql.SQLIntegrityConstraintViolationException
error.
As a workaround, open the DOMAIN_HOME
\bin\setDomainEnv.cmd
file, and set -DDISABLE_CONFIG_ENTITY
to true
.
For example:
-DDISABLE_CONFIG_ENTITY=true
Then, restart the Administration Server.
The default password lifetime used for a user created on a newly installed Oracle Database 11g database is 180 days. After 180 days, the password automatically expires. When the Oracle Access Manager (OAM) schema password expires, the OAM environment will become inoperable.
To avoid this problem, you can do one of the following:
Solution 1: Change the default password policy for the database by configuring the password settings in the DEFAULT
database profile (or in another relevant profile assigned to the OAM schema) so that the current OAM schema password will never expire.
To do this, you can use the ALTER PROFILE
statement to set the PASSWORD_LIFE_TIME
and PASSWORD_GRACE_TIME
parameters to UNLIMITED
in the OAM schema user's profile.
For more information about the password-related settings in the default profile and how to configure them, see "Configuring Password Settings in the Default Profile" in the Oracle Database Security Guide.
See Oracle Database SQL Language Reference for more information about using ALTER PROFILE
to modify the default password settings.
or
Solution 2: Reset the password before it expires.
To reset the OAM schema password on an Oracle Database 11g database, you must first update the password for both the OPSS schema and OAM schema in the WebLogic Server Administration Console and then update the passwords in the database.
Note:
For more information, refer to My Oracle Support Document ID 1545889.1.Update the password for OPSS in the WebLogic Server Administration Console:
From the Domain Structure menu, expand Services and click Data Sources.
Select the opss-DBDS data source in the Data Sources table.
Select the Configuration > Connection Pool sub tab.
Click Lock & Edit in the Change Center.
Enter a new password for the OPSS schema in the Password and Confirm Password fields.
Click Save to save the new password.
Update the password for OAM in the WebLogic Server Administration Console:
From the Domain Structure menu, expand Services and click Data Sources.
Select the oamDS data source in the Data Sources table.
Select the Configuration > Connection Pool sub tab.
Enter a new password for the OAM schema in the Password and Confirm Password fields.
Click Save to save the new password, and then click Activate Changes in the Change Center.
Stop the servers (Administration Server and Managed Servers) in your environment.
Log on to sqlplus as the SYS
database user, and update the schema passwords in the database:
SQL> ALTER USER OAM_SCHEMA_USER IDENTIFIED BY NEW_PASSWORD; SQL> ALTER USER OPSS_SCHEMA_USER IDENTIFIED BY NEW_PASSWORD;
For example:
SQL> ALTER USER DEV_OAM IDENTIFIED BY password; SQL> ALTER USER DEV_OPSS IDENTIFIED BY password;
Start WLST from the MW_HOME
/oracle_common/common/bin
directory. For example:
cd MW_HOME/oracle_common/common/bin
./wlst.sh
Run the WLST modifyBootStrapCredentia
l command as follows:
modifyBootStrapCredential(jpsConfigFile='DOMAIN_HOME/config/fmwconfig/jps-config.xml', username='prefix_OPSS', password='new_password')
Exit WLST:
exit()
Start the servers in your environment.
If you are using the Life Cycle Management (LCM) Tools to perform an Identity and Access Management deployment, you might encounter the following exception for the bip_datasource
connection pool in the AdminServer.log
file during the preconfigure phase:
java.net.UnknownHostException: dbhost.example.com: Name or service not known
This exception related to the use of dbhost.example.com
by the bip_datasource
connection pool is harmless and can be safely ignored.
In certain scenarios, when you are using the LCM tools to automatically deploy Oracle Identity and Access Management, a RequestTimeoutException may be generated and seen in the IAM Access domain server logs:
com.tangosol.net.RequestTimeoutException: Timeout during service start
If you encounter this error, perform the following workaround:
Shut down the Access Domain servers, including admin server and the managed servers.
Refer to Starting and Stopping IAMAccessDomain Services in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity and Access Management for instructions on stopping the servers in the correct order.
Locate the startup.properties file used by nodemanager to start the Access domain Admin server:
IAD_ASERVER_HOME/servers/AdminServer/data/nodemanager/startup.properties
Edit the startup.properties file, locate the property, Arguments in the file and append to it:
-Djava.net.preferIPv4Stack=true
Restart the Access domain servers, including the admin server and the managed servers.
Refer to Starting and Stopping IAMAccessDomain Services in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity and Access Management for instructions on starting the servers in the correct order.