This chapter describes issues associated with Oracle Mobile Security Suite (OMSS).
It includes the following topics:
This section is organized by component.
General Issues and Workarounds: Mobile Security Manager (MSM)
General Issues and Workarounds: Mobile Security Access Server (MSAS)
General Issues and Workarounds: Secure Workspace App for iOS
General Issues and Workarounds: Secure Workspace App for Android
General Issues and Workarounds: App Containerization Tool for iOS
General Issues and Workarounds: App Containerization Tool for Android
This section documents issues that are not component specific. It includes the following topic:
Moving Oracle Mobile Security Suite artifacts from a test environment to a production environment is not supported. After testing, administrators should deploy Oracle Mobile Security Suite in the production environment and manually recreate configurations and policies in the new environment.
This release of Oracle Mobile Security Suite does not support the Windows platform.
This section includes the following topics:
Distribution Details Do Not Immediately Appear When Uploading an Android App Binary
Users with an Asterisk Character in their User Name are Not Mapped to Roles
A Single Microsoft Exchange Server is Supported for Push Notifications
When uploading an Android App binary to the Mobile Security Manager App Catalog, the apps details (package name, version, etc) will not immediately be populated on the current screen. Once you save the app and view it again the app details will be present.
If a user account in LDAP has an asterisk character (*) in its user name, then it will not be mapped to roles in Mobile Security Manager correctly. The workaround is to avoid using the asterisk character in user names.
Mobile Security Manager only enforces mobile device management (MDM) configuration, policies, and restrictions when Specify device details for this policy is selected in the Mobile Security Policy definition. If a given device has been registered with MDM using an applicable policy that has the device details specified, but then subsequently the policy is updated to deselect Specify device details for this policy, the associated MDM device configuration is not automatically removed and it is still possible to send commands (such as, Lock, Wipe, Sync) to the device.
The Mobile Security Manager server setting for Microsoft Exchange push notifications is global across all mobile security policies. It is not possible to configure a different Microsoft Exchange server setting for different mobile security policies.
Searching Mobile Security Policies by the name of the assigned mobile roles is a case-sensitive search, while searching Mobile Security Policies by other attributes, such as the policy name, is not. The workaround is to search policies using case-sensitive role names.
When uploading an app binary to the Mobile Security Manager App Catalog, it is not possible to cancel the upload once it is in progress. Clicking Cancel will close the current dialog, but the app will finish uploading in the background.
When you search for users or roles in Mobile Security Manager, a maximum of 1000 users or roles is displayed even when the search matches more than 1000 results. The workaround is to update the search criteria so that the search matches less than 1000 results.
This section includes the following topics:
Deleting a MSAS Instances Does Not Remove OAuth Clients and WebGate Configuration from OAM
Error Using Same Logical MSAS Instance ID After OAM Test-to-Production (T2P)
MSAS Console Does Not Provide Host Header Configuration Option for Reverse Proxies
The WLST displayIdentityProfile Command Includes TERM_CHAR in the Output
Using the Same Name for Different URLs in a Proxy Application Causes Unexpected Runtime Behavior
SSO to Oracle Access Manager Distributed Credential Collector is Not Supported
The MSAS log files contain warning messages such as the following:
WARNING: JPS-06514 Opening of file based keystore failed. WARNING: JPS-06619 Key store file keystores.xml integrity check failed.
Messages with the codes "WARNING: JPS-06514" and "WARNING: JPS-06619" can be safely ignored.
When configMSAS.sh
is used to configure a MSAS instance, it will attempt to automatically register OAuth clients and a WebGate configuration for the MSAS instance in Oracle Access Manager. When that MSAS instance is later deleted, it does not automatic remove the previously registered OAuth clients and WebGate configuration. The workaround is to delete the OAuth clients and WebGate configuration manually using the OAM console UI.
Oracle Access Manager and Oracle Mobile Security Suite are installed together in this release. When the OAM Test-to-Production (T2P) process is followed to transfer the OAM configuration from a source environment to a destination environment, it also transfers some configuration elements for the Mobile Security Access Server. This creates a conflict in the destination environment, such that performing the standard Oracle Mobile Security Suite configuration process in the destination environment will fail if the same logical MSAS instance ID is chosen in the destination environment as that which was previously used in the source environment. The workaround is to choose a different logical MSAS instance ID in the destination environment and not reuse the logical MSAS instance ID that which was used in the source environment.
The MSAS console UI does not display properly on mobile devices. To view the MSAS console UI, the workaround is to use a desktop web browser that is certified to work with the OAM Policy Manager console.
A number of screens in the Oracle Mobile Security Suite console UI suggest an RSA 1024-bit key by default for new public key creation. The standard Oracle security recommendation is to use RSA 2048-bit minimum key-length keys. The workaround is to change the default selection to use RSA 2048-bit keys or larger.
The MSAS console does not provide an option to switch the host header between MSAS and the backend, which only impacts JWT client policies attached on reverse proxies (on invoke). To prevent the JWT audience restriction check from failing due to this issue, set the audience.uri
property to None
for attached JWT client policies.
The display output of displayIdentityProfile
command includes TERM_CHAR
in the output in place of new line characters. These extraneous TERM_CHAR
can be ignored.
When you create a proxy application, do not use the same proxy name for multiple different URLs. Doing so will cause unexpected behavior at runtime.
Oracle Mobile Security Suite supports SSO to Oracle Access Manager when the OAM login page is exposed using the Embedded Credential Collector mode. SSO to the OAM login page is not supported when it is exposed using the Distributed Credential Collector mode.
This section includes the following topics:
Secure Workspace Falls Back to English With Unsupported Region
Customizable Workspace Name is Not Localized in the Device Language
User can Toggle the Turn off Passcode Setting on a Managed Device
In iOS Settings, the Workspace App may Need a Moment to Appear
Trying to play an online video file hosted on a website in the Secure Browser results in an error. The workaround is to download the video file locally and then play it.
There is no audio while playing local video files in the Secure Browser if the hardware vibrate mode has been enabled on the iOS device. The workaround is to turn off vibrate mode.
If the Install on Homepage policy setting is enabled, apps will appear on the Secure Workspace app homepage even if they should be blocked because the device OS does not meet the minimum required by the Min OS Version policy setting. The workaround is to not set Install on Homepage for mobile apps with a Min OS Version restriction, and to instead allow users to install the mobile apps from the dynamic catalog, where the Min OS Version restriction is properly applied.
If the configured device language does not match one of the languages that the app is localized for, the Secure Workspace app reverts to English. The app also reverts to English if the device language is set to a supported language, but the region is unsupported. The workaround is to either set the device language to a supported language and a supported region, or to not configure the region at all.
When customizing the Secure Workspace app with a different app name, only a single name in a single language is supported. If different names are desired for different languages, then the workaround is to create a separate customized version of the app for each language.
After registering a managed device, the user can select the "Turn Passcode off" setting, however, the device forces the user to reset the passcode again. Due to the limitations of the iOS 7.x MDM API, the "Turn Passcode off" setting cannot be completely disabled.
The list of apps under Settings load dynamically in iOS 9. Consequently, the Workspace app may take a moment to appear in the list of apps on the iOS Settings screen.
This section includes the following topics:
Existing Tabs Close When Opening a vApp in the Secure Browser
Customizable Workspace Name is Not Localized in the Device Language
Talkback Accessibility Feature on Android Devices Does Not Properly Announce Password Characters
During the Secure Workspace app login process when MDM is not enabled the "Logging in" progress dialog will be dismissed temporarily and then reappear. There is no functional impact to this temporary dismissal.
Opening a virtual app in the Secure Browser will cause any previously opened browser tabs to be closed.
When customizing the Secure Workspace app with a different app name, only a single name in a single language is supported. If different names are desired for different languages then the workaround is to create a separate customized version of the app for each language.
When Talkback is enabled and headphones are in use, Talkback should announce the characters in the password field. On many Android devices, however, Talkback says "dot" instead of speaking the character name. This is not a Secure Workspace bug but a known limitation that affects many Android devices.
This section includes the following topics:
Trying to play an online video file hosted on a website in a containerized app results in an error. The workaround is to download the video file locally and then play it.
Secure networking for apps directly using socket-level communication primitives is not supported.
It is not possible to restrict the ability to save images from a containerized app presenting the Save Image feature of QLPreviewController, even if the Save image to local gallery restriction is enabled on Mobile Security Manager.
A Xamarin app that uses a UI storyboard will show a blank screen or crash after it has been containerized. The workaround is to not use UI storyboards when writing Xamarin apps.
The App Containerization tool is not localized. All text is displayed in English regardless of the locale set in the OSX terminal window.
Apps with version 3.0.n containerization crash upon launching if the iOS Touch ID feature is enabled. To fix this issue, re-containerize apps using the 11.1.2.3.1 App Containerization Tool. Until all containerized apps are upgraded to 11.1.2.3.1 containerization, turn Touch ID off.
This section includes the following topics:
Some Non-Containerized Apps Still Appear when File Share is Restricted
Apps Exposing Document Providers are Not Listed When Containerized
When the Secure Workspace policy is set to restrict file sharing, some non-containerized apps may still appear in the list of available apps on Android. Attempting to select one of these non-containerized apps will, however, result in encrypted data being accessed by the app. There is no leakage of un-encrypted data.
The Secure Workspace policy to allow or disallow redirects from web pages displayed within the Secure Workspace app to other apps using custom URL schemes is not implemented on Android.
Secure networking for apps directly using socket-level communication primitives is not supported.
Apps that implement the document provider interface of the Android storage access framework will not appear in the Open From list in other mobile apps after being containerized.
When you install a containerized app on Android that support widgets, and then drag one of its widgets to the Android home screen, it results in a "Problem Loading Widget" error when the widget is opened.
The App Containerization tool is not localized. All text will be displayed in English regardless of the locale set in the OSX terminal window.
This section is organized by component.
Configuration Issues and Workarounds: Mobile Security Manager (MSM)
Configuration Issues and Workarounds: Mobile Security Access Server (MSAS)
This section includes the following topic:
Oracle Mobile Security Suite 11g Release 2 (11.1.2.3.0) requires the following patches to be applied on top of WebLogic 10.3.6.0.10 after installation.
13856604: NEW TIMEOUT PROPERTY REQUIRED FOR HTTPRESPONSE INSTEAD OF COMPLETEMESSAGETIMEOUT
15865825: DISABLE BASIC AUTH FOR OWSM WHILE KEEP BACKWARD COMPATIBILITY
14809365: HTTP BASIC AUTHENTICATION FOR WLS WS STACK
To obtain a patch from My Oracle Support (formerly OracleMetaLink), go to the following URL, click Patches and Updates, and search for the patch number:
This section includes the following topic:
The idmConfigTool –configOMSS mode=OMSAS
command will fail with the following error if the logical MSAS instance ID present in the idmConfigTool properties file does not match the logical MSAS instance ID present in the configMSAS.sh
properties file when configMSAS.sh
was previously executed.
(1/4) Configuring OMSAS Identity Profile Error [oracle.wsm.cli.CommandLineException: WSM-15013 : No session to abort.]
When this failure occurs, the IDS profile for Mobile Security Access Server may be created and result in a further error if the idmConfigTool properties file is subsequently updated to use the correct logical MSAS instance ID, and idmConfigTool –configOMSS mode=OMSAS
is executed again. The workaround is either to update the idmConfigTool properties file to use a new IDS profile name, or delete the previously created IDS profile using WLST commands.
The Oracle Access Manager configuration for SSL can use the WebLogic Server demo identity certificate by default. This demo identity certificate only includes the short name of the server host, not the fully-qualified domain name. For MSAS to connect to Oracle Access Manager over SSL (including the OAuth server) when the demo identity certificate is used, it is necessary for MSAS to be configured with the short name of the Oracle Access Manager and/or OAuth server host, and not the fully-qualified domain name.
This applies to the OAM_HOST
and OAUTH_HOST
properties used by configMSAS.sh
, and the OAuth2 Confidential Client and OAuth2 Mobile Client authentication endpoints, which can be configured in the MSAS console by opening the Environments -> Instances -> <gateway instance> -> Authentication Endpoints page and updating the OAuth2 Confidential Client: Endpoint and OAuth2 Mobile Client: Endpoint parameters.