This chapter describes common problems that you might encounter when using Oracle Privileged Account Manager and explains how to solve them.
This chapter includes the following sections:
Section 20.1, "Introduction to Troubleshooting Oracle Privileged Account Manager"
Section 20.5, "Using My Oracle Support for Additional Troubleshooting Information"
In addition to this chapter, review the Oracle Fusion Middleware Error Messages Reference for information about the error messages you may encounter.
This section provides guidelines and a process for using the information in this chapter. Using the following guidelines and process will focus and minimize the time you spend resolving problems.
When using the information in this chapter, Oracle recommends the following:
After performing any of the solution procedures in this chapter, immediately retry the failed task that led you to this troubleshooting information. If the task still fails when you retry it, perform the procedure of a second solution in this chapter (if provided) and then try the failed task again. Repeat this process until you resolve the problem.
Make notes about the solution procedures you perform, problems and indications you see, and the data you collect while troubleshooting. If you cannot resolve the problem using the information in this chapter and you must log a service request, the notes you make will expedite the process of solving the problem.
Follow the process outlined in Table 20-1 when using the information in this chapter. If the information in a particular section does not resolve your problem, proceed to the next step in this process.
Table 20-1 Process for Using the Information in this Chapter
| Step | Section to Use | Purpose |
|---|---|---|
|
1 |
Get started troubleshooting Oracle Privileged Account Manager. The procedures in this section quickly address a wide variety of problems. |
|
|
2 |
Perform problem-specific troubleshooting procedures for Oracle Privileged Account Manager. This section describes:
|
|
|
3 |
Use My Oracle Support to get additional troubleshooting information about Oracle Fusion Applications or Oracle BI. My Oracle Support provides access to several useful troubleshooting resources, including Knowledge Base articles and Community Forums and Discussions. |
|
|
4 |
Log a service request if the information in this chapter and My Oracle Support does not resolve your problem. You can log a service request using My Oracle Support at |
This section provides information about how to diagnose Oracle Privileged Account Manager problems. The topics include:
When an Oracle Privileged Account Manager error occurs, you can gather more information about what caused the error by generating complete logs that include debug information and connector logging. the following steps:
Set the Oracle Privileged Account Manager logging level to the finest level, which is TRACE:32.
Note:
For more information about Oracle Privileged Account Manager logging, refer to Chapter 16, "Managing Oracle Privileged Account Manager Auditing and Logging."
For more information about setting logging levels, refer to "Implementing Java and Oracle Logging" in the Oracle Containers for J2EE Developer's Guide.
Repeat the task or procedure where you originally encountered the error.
Examine the log information generated using the DEBUG level.
Examining the exceptions logged to the Oracle Privileged Account Manager log file can help you identify various problems.
You can access Oracle Privileged Account Manager's diagnostic log in the following directories:
DOMAIN_HOME/servers/Adminserver/logs DOMAIN_HOME/servers/opamserver/logs
This section describes common problems and their solutions. The topics include:
Section 20.3.1, "Console Cannot Connect to Oracle Privileged Account Manager Server"
Section 20.3.2, "Console Changes Are Not Reflected in Other, Open Pages"
Section 20.3.5, "Cannot Add an Active Directory LDAP Target"
Section 20.3.7, "Cannot View Users or Roles from the Configured Remote Identity Store"
Section 20.3.9, "Cannot Use Larger Key Sizes for Export/Import"
Section 20.3.11, "Cannot Access MSSQL Server Targets and Accounts"
Section 20.3.12, "Troubleshooting Issues with Using Oracle Database TDE"
Section 20.3.14, "Session Checkout Does Not Work, Even After Granting the Account"
Section 20.3.15, "OPAM Console Login Does Not Work in Internet Explorer 11 Browser"
Section 20.3.17, "Audit Records Appear in BI Reports After a Long Delay"
Section 20.3.18, "The "Failure to Load Windows Connector" Exception Occurs"
Section 20.3.19, "Failure to Add a UNIX Target or Checkout a UNIX Account"
Section 20.3.20, "Copying Password to Clipboard Fails in a HA Environment"
Section 20.3.21, "Error in Loading SAP Classes During the Startup of the Server"
Section 20.3.23, "The OPAMAgentService Windows Service Stops"
Section 20.3.24, "A User is Able to Access the Grants of Another User"
Section 20.3.25, "Translation is Missing for Some Attributes in Windows Targets"
Section 20.3.26, "Administration Tabs are Missing for Delegated Users"
Oracle Privileged Account Manager Console cannot connect to the Oracle Privileged Account Manager server.
If the Console cannot connect to the Oracle Privileged Account Manager server, then you might have a configuration problem with the Console or with Oracle Platform Security Services Trust.
To resolve this problem:
Verify that your host and port information is correct.
Confirm that the generated URL displayed on the Console is responsive.
Ensure that you correctly completed all of the configuration steps described in "Post-Installation Tasks" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Note:
If you have configured a high availability instance, ensure that you correctly completed all of the Oracle Privileged Account Manager configuration steps described in the Oracle Fusion Middleware High Availability Guide.When you have multiple browser windows or Console tabs open against the same Oracle Privileged Account Manager Console, updates made in one window or tab are not immediately reflected in the other windows or tabs.
The Oracle Privileged Account Manager Console does not proactively push updates to the browser.
To resolve this problem, refresh the browser window or tab.
Your attempts to access targets and privileged accounts are failing. You cannot check out, check-in, or test.
The ICF connector being used by Oracle Privileged Account Manager is having issues interacting with the target system.
To resolve this problem:
Verify that the target system is up, and that the privileged account of interest exists.
Increase Oracle Privileged Account Manager's logging level to TRACE:32 (its finest level) and review the trace logs to determine where the failure occurs.
Problems are often caused by environmental issues that can be identified using the trace logs and remedied by fixing the configuration on the target system. Refer to Chapter 16, "Managing Oracle Privileged Account Manager Auditing and Logging" for more information.
You might have a connector issue. Submit a bug that includes a reproducible test case, target system details, and trace logs.
A user changed the target's service account password out of band from Oracle Privileged Account Manager. For example, if the user changed the password by using the DB host or by using a different Oracle Privileged Account Manager instance in a different domain, the Show Password feature for the original Oracle Privileged Account Manager server does not reflect that change and any attempt to connect to that target will fail.
To resolve this problem, update the new password by editing the target through the Oracle Privileged Account Manager Console or the command line. Refer to Section 9.8, "Managing Privileged Account Passwords" or to Section A.6.8, "resetpassword Command" for more information.
This section describes issues that can prevent you from adding database targets:
Section 20.3.4.1, "Cannot Connect to Oracle Database with sysdba Role"
Section 20.3.4.2, "Cannot Find Special Options for Adding a Database Target"
sysdba RoleYour attempts to connect to Oracle Database using the sysdba role are failing with the following error message:
Invalid Connection Details, see server log for details.
To connect to Oracle Database as a user with sysdba role, you must configure the Advanced Properties option with the value, internal_logon=sysdba.
You must also specify this setting for the Oracle Database SYS account, which must connect with the sysdba role. The Oracle Database SYS user is a special account and if you do not use this role, then the connection might fail. However, it is a better practice to create a service account instead of using SYS.
To resolve this problem:
Connect to Oracle Database as a user with the sysdba role.
Note:
These configuration steps are not necessary if you are connecting as a normal user.Open the target's General tab and expand Advanced Configuration to view the configuration options.
Enter the internal_logon=sysdba value into the Connection Properties field.
Click Test to retest the connection.
Save your changes.
You cannot find configuration options for connecting to database targets such as Oracle RAC Database or for using Secure Socket Layer (SSL).
Oracle Privileged Account Manager uses a Generic Database connector where special configuration options for specific database target systems are not exposed in a clean or intuitive manner.
To resolve this problem, define special connectivity options for database targets by modifying the Database Connection URL and Connection Properties parameter values.
Note:
Refer to Section 6.2, "Adding and Configuring Targets in Oracle Privileged Account Manager" for information about these parameters.
Refer to the Oracle Identity Manager Connector Guide for Database User Management for information about which special options are supported.
An LDAP target using Microsoft Active Directory fails when you test the connection, search for accounts, or check out passwords.
Active Directory defaults require specific configuration, so you must change the generic default values for the LDAP target. Oracle Privileged Account Manager uses a Generic LDAP connector where special or custom configuration options for specific LDAP target systems are not obvious. Usually, only Active Directory LDAP targets cause issues.
To resolve this problem, ensure the following when you add an LDAP target:
Use SSL to communicate with Active Directory.
Import the SSL certificates into the WebLogic instance running Oracle Privileged Account Manager. Refer to Section 17.1, "Configuring Oracle Privileged Account Manager to Communicate With Target Systems Over SSL" for more information.
From the Targets page, set the TCP Port to your Active Directory SSL port and enable the SSL checkbox.
Specify the following "Advanced Configuration" parameters:
Set Password Attribute to unicodepwd
Set Advanced Configuration > Account Object Classes to top|person|organizationalPerson|user.
Specify an attribute that is suitable for data in Active Directory, such as uid or samaccountname, for the Account User Name Attribute, Uid Attribute, and LDAP Filter for Retrieving Accounts configuration parameters.
Note:
For more information about setting any of the following parameters, refer to Section 6.2.2.2, "Configuring the LDAP Target Type."A grantee's attempt to checkout an account is failing with an Insufficient Privileges error.
The username is case-sensitive for Oracle Privileged Account Manager grants, but not always for WebLogic authentication.
To resolve this problem, be sure to enable the Use Retrieved User Name As Principal option for the authenticator being used for your production identity store. Refer to Section 3.3.2, "Configuring an External Identity Store for Oracle Privileged Account Manager" for more information.
When you try to grant to a user or group, you cannot view all users and roles from the configured remote identity store.
The Control flag of the authenticator that corresponds to the identity store containing the user or role is not set to SUFFICIENT.
The user or role that you are searching for is not present in the first authenticator listed in the providers list.
To resolve this problem:
Set the Control flag for all necessary authenticators to SUFFICIENT.
By default, Oracle Privileged Account Manager searches for users and groups in the first authenticator in the Providers list. However, if you set the virtualize property in jps-config.xml to true, Oracle Privileged Account Manager fetches the entities from all LDAP authenticators. For example,
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider"> <property name="idstore.config.provider" value="oracle.security.jps.wls .internal.idstore.WlsLdapIdStoreConfigProvider"/> <property name="CONNECTION_POOL_CLASS" value= "oracle.security.idm.providers.stdldap.JNDIPool"/> <property name="virtualize" value="true"/> </serviceInstance>
In WebLogic, the jps-config.xml file is located in the following location:
DOMAIN_HOME/config/fmwconfig
You have an indirect grant through group membership and updates to that group membership are not immediately reflected in Oracle Privileged Account Manager.
For example, if you assign a user to a Oracle Privileged Account Manager administration role or to a group granted with a Oracle Privileged Account Manager privileged account, you may not be able to view these changes right away.
WebLogic caches group memberships and identity assertions by default. Therefore, changes in the source location will not be reflected in Oracle Privileged Account Manager until the cache entries are recomputed.
To resolve this problem, modify the caching settings in your WebLogic Authenticator and Asserter configuration to suit your requirements.
You are unable to use key sizes larger than 128-bits for export or import operations.
The default JRE installation does not contain the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6.
To resolve this problem, apply the JCE patch, available for download from http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
An Oracle Privileged Account Manager end user can access all of the groups associated with a user, but was not explicitly granted access to those groups.
You granted an Oracle Privileged Account Manager end user access through an LDAP group that uses multiple values as its naming value.
For example, assume you configured an environment that uses CN as its naming attribute and that it contains two groups, A and B. Group A has only one CN value, cn=GroupA and group B has two CN values, cn=GroupA and cn=GroupB.
The Oracle Privileged Account Manager host container (WebLogic or WebSphere) will assert that actual members of GroupA are members of GroupA. However, the host container will also assert that the actual members of GroupB are also members of GroupA, which means that the members of GroupB will inadvertently get the privileges associated with GroupA.
You used nested group memberships.
If group B is a member of group A, and you grant group A access to an Oracle Privileged Account Manager resource, then you implicitly grant this privilege to group B.
To resolve this problem, you must ensure that group entries in LDAP have only a single value for the naming attribute being used.
Your attempts to access the MSSQL server database target and accounts are failing. You cannot test, check out, or check-in. Following are two reasons why this problem might occur:
The MSSQL driver sqljdbc4.jar is missing.
You might be facing JAVA Bug 7105007, which affects Java Versions: 1.6.0_26 and
1.6.0_29. Refer to http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7105007.
To resolve this problem:
Ensure MSSQL driver is available for the server as described by the note in Database Type description in Table 6-0, "Configuring the Database Target".
Use JAVA version 1.6.0_30 or higher to avoid encountering the referenced JAVA bug.
This section describes issues you might encounter when you are attempting to set-up or to operate Oracle Privileged Account Manager in Oracle Database Transparent Data Encryption (TDE) mode. These issues include:
After enabling TDE mode, you see one of the following error messages:
No TDE wallet found
TDE wallet is closed
TDE wallet is undefined
TDE wallet is open but has no master key
Columns are encrypted but TDE wallet is not open
The expected TDE wallet status is open.
To resolve a problem with the TDE wallet, refer to "Enabling Transparent Data Encryption" in the Oracle Database Advanced Security Administrator's Guide.
After setting up TDE, you notice that the TDE wallet is open, but the columns are not encrypted.
The secure Oracle Privileged Account Manager columns are not encrypted.
To resolve this problem, perform the steps described in "Configuring Oracle Privileged Account Manager" of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
For example:
sqlplus DEV_OPAM/password1 @IAM_HOME/opam/sql/opamxencrypt.sql
This section describes issues you might encounter when you are attempting to view session recording transcripts or video recordings. These issues include:
You used the Internet Explorer, Safari, or Firefox 33+ browsers to log in to the Oracle Privileged Account Manager Console, but could not view the recording transcript or video recording after following the link from account's checkout history page results
The Internet Explorer, Safari, or Firefox 33+ browsers mandate key sizes that are greater than 1024 bits, but the out-of-the-box DemoCA and certificates that are generated by Oracle WebLogic Server are 512 bits.
To workaround this issue, you must generate a self-signed certificate with a key size that is greater than 1024 bits. Use the following steps:
Generate a self-signed certificate with a key size of 2048 bits.
Note:
Refer to "Using the Oracle WebLogic Server Java Utilities" in the Oracle Fusion Middleware Command Reference for Oracle WebLogic Server for more information.java utils.CertGen -keyfilepass <CAPassword> -certfile <hostname>-cert -keyfile <hostname>-key -cn <fully qualified hostname> -strength 2048 -selfsigned -keyusagecritical false -keyusage digitalSignature,nonRepudiation, keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
For example:
java utils.CertGen -keyfilepass password123 -certfile adc2120745-cert -keyfile adc2120745-key -cn adc2120745.example.com -strength 2048 -selfsigned -keyusagecritical false -keyusage digitalSignature,nonRepudiation, keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
Move the key with the demoidentity alias to demoidentityold.
cd MW_HOME/wlserver/server/lib keytool -list -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase keytool -changealias -alias demoidentity -destalias demoidentityold -keypass DemoIdentityPassPhrase -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase keytool -list -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
Update the DemoIdentityStore with the certificate and key that you generated in Step 1.
Note:
Refer to "Using the Oracle WebLogic Server Java Utilities" in the Oracle Fusion Middleware Command Reference for Oracle WebLogic Server for more information.cd MW_HOME/wlserver/server/lib java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfile <hostname>-key.pem -keyfilepass <CAPassword> -certfile <hostname>-cert.pem -alias demoidentity -keypass DemoIdentityPassPhrase
Import the certificate that you generated in Step 1 into the DemoTrust.jks file.
keytool -importcert -v -trustcacerts -file <hostname>-cert.pem -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -alias <hostname>
Restart the Oracle WebLogic Server Domain.
Note:
For an environment hosted on multiple servers, you must repeat this step for each server. Most importantly, you must copy or duplicate the updates you performed on one serverMW_HOME/wlserver/server/lib) on to the other servers.When you try to view a session recording or video recording, the "This web page is not available" error message is displayed and you are redirected to a URL that uses "localhost" as the host name.
The Oracle Privileged Account Manager server URL that was configured under the Oracle Privileged Account Manager Server Configuration has localhost defined in the URL. This host name cannot be resolved from external hosts.
Use the Server Configuration page to change the Oracle Privileged Account Manager server URL to reflect the fully qualified host name for the Oracle Privileged Account Manager server.
An end user has been granted access to an account. However, when that user tries to connect as that account through the Oracle Privileged Session Manager the connection is disallowed.
Although the end user has been granted access to the account, the effective Usage Policy does not include session as the Allowed checkout type. You must explicitly grant session access in the Usage Policy.
Modify the effective Usage Policy to also grant session access.
You tried to log into Oracle Privileged Account Manager by using the Console in an Internet Explorer 11 browser. No error messages were reported, however the login was not successful.
The Oracle Privileged Account Manager login does not work in an Internet Explorer 11 browser.
Use a lower version (earlier that release 11) of Internet Explorer or another browser.
Apply the Oracle Universal Installer (OUI) patch for bug number 18071063 as described in the downloaded patch readme.
To download this patch, login to https://support.oracle.com. Select the Patches and Updates tab and search for patch number 18071063.
If you create an end user name in Oracle Identity Manager that contains a pound (#) symbol or character, that user will not be able to log into Oracle Privileged Account Manager.
WebSphere encodes the pound (#) character in the DN.
Avoid using the pound (#) character in end user names that will log into Oracle Privileged Account Manager.
You notice that there is a long delay before audit records appear in BI Reports.
Oracle Privileged Account Manager audit records are pushed to the database based on an interval. This interval is specified using the OPSS scripts for auditing.
You can shorten the interval after which audit records are pushed to the database by using the setAuditRepository command provided in the OPSS scripts for auditing. For detailed information about using the setAuditRepository command, refer to "OPSS Scripts for Auditing" in the Oracle Fusion Middleware Application Security Guide.
In addition, the BI publisher can cache data to improve performance. You can tune or disable the caching settings for the Oracle Privileged Account Manager audit reports in BI Publisher. For detailed information about cache settings, refer to "Setting the Caching Properties" in the Oracle Fusion Middleware Report Designer's Guide for Oracle Business Intelligence Publisher.
You notice that the "failure to load windows connector" exception occurs when you start the Oracle Privileged Account Manager server.
Oracle Privileged Account Manager uses the connector server configuration to search for a connector server on which the Windows connector is successfully deployed. If this connector server is not found, the "failure to load windows connector" exception is displayed.
Verify if the connector server configuration information for the connector server that hosts the Windows connector is specified correctly. If not, provide the correct connector server configuration information in Oracle Privileged Account Manager and restart the server.
A UNIX target fails when you test the connection, search for accounts, or check out passwords. This problem may be caused by one or both of the two following causes:
Cause 1
The "Sudo Authorization" property is not defined correctly, which is causing errors in the communication with the UNIX system.
Solution
The "Sudo Authorization" property needs to defined based on the type of target service account that is used to connect to the UNIX system. You can check if the "Sudo Authorization" property needs to be defined for a target service account, as follows:
Check if the account itself has root privileges. For example, check if the account is a root account. If yes, then do not select the "Sudo Authorization" property in the configuration properties while configuring the target service account.
Check if the account needs to run sudo authorization to become a root account. For example, if you are using an account named "admin", and you run sudo authorization to change this account to a root account, then select the "Sudo Authorization" property while configuring the target service account.
However, if you are using a sudo account, then follow the procedure described in section "Creating a Target System SUDO User Account for Connector Operations" of Oracle Identity Manager Connector Guide for UNIX, to verify the account.
Check if the account has root privileges or if it can run sudo authorization to become a root account. If not, such an account cannot be used as a target service account. Choose an account which has root privileges or can run sudo authorization to become a root account.
Cause 2
The "Login Shell Prompt" property is not defined correctly, which is causing errors in the communication with the UNIX system.
Solution
The Login Shell Prompt defines the prompt that is displayed on the screen while logging into the UNIX system, using the target service account. By default, it is a list of common values as shown in the following example:
[$#%>~]
In the above example, the square brackets form a regular expression to indicate that the prompt could be any one of the listed symbols. Check the following cases to define this property:
While using a root account, login as the root account and check the prompt.
When using a sudo account, there could be more one prompt. Login as the sudo account and check the prompt. Then, run sudo authorization to switch to root account, and check the prompt. This prompt may be a different one. Ensure that both values are in the list between square brackets.
Message of the day could interfere with prompt detection. In some systems, there may be some message printed on the screen when logging into the system.
For example, you may see the ## This is a production system, use carefully ## message. This message contains the pound (#) symbol, which may also be present in the Login Shell Prompt configuration. This can cause errors. You must fix the message to remove the characters that are used in Login Shell Prompt configuration.
The "Copy Password to Clipboard" operation fails in a HA environment.
The "Copy Password to Clipboard" operation relies on the ZeroClipboard javascript library files, which are not shipped with Oracle Privileged Account Manager. Currently, these library files cannot be located through the load balancer in a HA environment. This is because, in ADF framework, the <af:resource> tag "source" attribute does not support the deferred EL expression. Instead, it only accepts the full path URL or a relative URL of the weblogic server.
Perform the following procedure to workaround this issue:
Deploy the ZeroClipboard library files on an instance of Oracle Privileged Account Manager (the computer where Oracle Privileged Account Manager has been installed) as described in Section 17.4.1, "Downloading and Deploying the ZeroClipboard Library Files on the Server."
Verify the "ZeroClipboard.js" and the "ZeroClipboard.swf" files using URLs as shown in the following examples:
To verify the "ZeroClipboard.js" file run:
http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.js
To verify the "ZeroClipboard.js" file run:
http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.swf
Copy the "oinav.ear" file from the following location to a temporary folder:
$ORACLE_HOME/oinav/modules/oinav.ear_11.1.1.3.0/
Note:
Create a separate copy of this .ear file as backup before you perform the rest of this procedure.Unzip the "oinav.ear" file and the "oiNavApp-war.war" file. Locate the oiNavApp-war folder, within which you must locate the "MyAccount.jsff," "MyChkout.jsff," and "ServerConfig.jsff" files in the following specified locations and make the suggested code changes:
Locating and modifying MyAccount.jsff:
In the taskflows/opam/myaccount/ folder, find the "MyAccount.jsff" file and edit the .jsff file in the following manner:
In the 12th line, search for the following text:
<af:resourcetype="javascript"source="//ZeroClipboard/ZeroClipboard.js"/>
Replace it with the following text:
<af:resource type="javascript" source="http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.js"/>
Note:
In the preceding example,http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.js is an example location of the .js library file. You must replace it with the actual library file location in your environment.In the 27th line, search for the following text:
moviePath : '/ZeroClipboard/ZeroClipboard.swf'
Replace it with the following text:
moviePath : 'http://my host.example.com:2001/ZeroClipboard/ZeroClipboard.swf'
Note:
In the preceding example,http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.swf is an example location of the .swf library file. You must replace it with the actual library file location in your environment.Locating and modifying MyChkout.jsff:
In the taskflows/opam/mychkout/ folder, find the "MyChkout.jsff" file and edit the .jsff file in the following manner:
In the 14th line, search for the following text:
source="//ZeroClipboard/ZeroClipboard.js"/>
Replace it with the following text:
source="http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.js"/>
Note:
In the preceding example,http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.js is an example location of the .js library file. You must replace it with the actual library file location in your environment.In the 26th line, search for the following text:
moviePath : '/ZeroClipboard/ZeroClipboard.swf'
Replace it with the following text:
moviePath : 'http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.swf'
Note:
In the preceding example,http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.swf is an example location of the .swf library file. You must replace it with the actual library file location in your environment.Locating and modifying ServerConfig.jsff:
In the taskflows/opam/serverconfig/ folder, find the "ServerConfig.jsff" file and edit the .jsff file in the following manner:
In the 14th line, search for the following text:
source="//ZeroClipboard/ZeroClipboard.js"/>
Replace it with the following text:
source="myhost.example.com:2001/ZeroClipboard/ZeroClipboard.js"/>
Note:
In the preceding example,http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.js is an example location of the .js library file. You must replace it with the actual library file location in your environment.In the 20th line, search for the following text:
moviePath : '/ZeroClipboard/ZeroClipboard.swf'
Replace it with the following text:
moviePath : 'http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.swf'
Note:
In the preceding example,http://myhost.example.com:2001/ZeroClipboard/ZeroClipboard.swf is an example location of the .swf library file. You must replace it with the actual library file location in your environment.Recreate the new .war and .ear files to include the changes.
Shutdown all weblogic processes and replace the modified "oinav.ear" file in the following location, on all instances of Oracle Privileged Account Manager or on all machines running Oracle Privileged Account Manager:
$ORACLE_HOME/oinav/modules/oinav.ear_11.1.1.3.0/
Restart all weblogic process and perform the "update deployment" using the weblogic console.
The diagnostic log displays a warning saying that SAP classes could not be loaded during server startup.
The following warning is displayed:
[ICF][WARN]org.identityconnectors.framework.impl.api.local.LocalConnectorInfoManagerImpl:createConnectorInfo() - Unable to load class org.identityconnectors.sap.SAPConnection$SAPDestinationDataProvider from bundle file:<path to org.identityconnectors.sap-2.0.0.jar>
The SAP third-party jars are not copied and they are missing while loading the SAP connectors.
For SAP targets, third-party jars must be copied before loading the SAP connectors. To do so, refer to Section 6.2.4.2, "Copying Third-Party JARs for the SAPUM and SAPUME Targets."
You cannot find recent session recordings while searching for a pattern in the Checkout History search.
Oracle Privileged Account Manager uses Oracle Text Index to index session recordings. The index is synchronized every hour by default, so pattern search may not return the most recent session recordings.
To include the recent session recordings in pattern search results, you can submit an update index request by calling the following URL:
https://<opamhost>:<opamport>/opam/checkout/syncindex
Note:
Security Administrators, User Managers, and Security Auditors are allowed to update the index.You can also change the frequency of index update as described in Section 17.5.5, "Managing Oracle Text Index for Session Recordings."
After successful registration of the OPAM Agent, the "OPAMAgentService" service stops instantly.
If the service cannot find the required DLL files on the target system, an exception is thrown and the service is stopped. This error may occur specifically with the Microsoft Windows Server 2008, Microsoft Windows Server 2012, and the Microsoft Windows Server 2012 R2 target systems.
To work around this issue, check the OPAMAgentService log file located at the following relative path:
\\logs\OpamAgentService_YEAR_MONTH_DAY_HOUR_MINUTE_SECOND.log.
Note:
In the preceding relative path, "YEAR_MONTH_DAY_HOUR_MINUTE_SECOND" is a placeholder and represents the date and time format in which the log is saved.If this log contains the "Required DLLs could not be found" message, then, refer to Section 8.2.1.1, "Important Notes for Installation on Microsoft Windows Server" to work around this issue.
The Microsoft Windows Operating System version that you are using is not supported.
To work around this error, check the OPAMAgentService log file located at the following relative path:
\\logs\OpamAgentService_YEAR_MONTH_DAY_HOUR_MINUTE_SECOND.log.
Note:
In the preceding relative path, "YEAR_MONTH_DAY_HOUR_MINUTE_SECOND" is a placeholder and represents the date and time format in which the log is saved.If this log contains the "ERROR : Uploader Config : No known OS detected ! Exiting Agent" message, then refer to Section 8.2.1, "Reviewing the Supported Components and Important Notes for Installation" to see a list of the supported Microsoft Windows Operating System versions.
The .NET version that you are using is not supported.
To work around this error, check the OPAMAgentService log file located at the following relative path:
\\logs\OpamAgentService_YEAR_MONTH_DAY_HOUR_MINUTE_SECOND.log.
Note:
In the preceding relative path, "YEAR_MONTH_DAY_HOUR_MINUTE_SECOND" is a placeholder and represents the date and time format in which the log is saved.If this log contains the "ERROR : Uploader Config : .NET version below 4.0 ! Exiting Agent" message, then ensure that the .NET version is 4.5 by upgrading your existing version or by installing a new instance.
An Oracle Privileged Account Manager end user can access the grants associated with another user.
You have configured multiple authenticators in Weblogic, with control flags set as sufficient and users with same username exist in more than one authenticator.
You can use one of the following solutions to work around this issue:
Use only one authenticator and remove the others.
If you have to use multiple authenticators, remove the duplicate users from the authenticator.
The localized content or translation is missing for some attributes in Windows targets.
A connector server configuration has been added to Oracle Privileged Account Manager for the first time and the server has not been restarted.Translations for connector server properties are picked up during the server start up and cached.
Restart the server.
When you are logged in as a delegated user, the administration tabs are missing.
The username is case-sensitive for Oracle Privileged Account Manager delegations, but may not always be the case for Weblogic authentication.
To resolve this problem, ensure that you enable the "Use Retrieved User Name As Principal" option for the authenticator that is being used for your production identity store. Refer to Section 3.3.2, "Configuring an External Identity Store for Oracle Privileged Account Manager" for more information about working with an external identity store.
This chapter provides answers to frequently asked questions related to the functionality of Oracle Privileged Account Manager and its features.
How can I test if the ZeroClipboard files are deployed properly on the WebLogic server?
Use one of the following methods to check if the ZeroClipboard files are deployed properly on the WebLogic server:
Log into the WebLogic Server administration console, click Deployments, and check if you can find "ZeroClipboard" in the list of deployments.
Open a browser, type the following path, and check if you can view the .js file successfully:
http://{YOUR_SERVER_PATH}:{SERVER_PORT}/ZeroClipboard/ZeroClipboard.js
When I configure the password display options, why do I get an error message saying that the files are not loaded properly?
This issue can occur if the files are not deployed properly, if the flash plug-in is not installed properly, or if the browser has blocked the flash plug-in.
To work around this issue, perform the following checks:
Log into the WebLogic server administration console and click Deployments to see if you can find "ZeroClipboard" in the list of deployments, if not, perform the procedure described in Section 17.4.1, "Downloading and Deploying the ZeroClipboard Library Files on the Server" again.
Check if the folder name, Ensure that the folder name is exactly the same as "ZeroClipboard".
Use the following link to check if you have installed Flash, if not, you can also install flash using the same link:
Check if your browser has blocked the flash plug-in. Refer to the "Enable Flash Player in your browser" section in the following link to enable the flash plug-in:
After you make any changes, clear the cache of your browser.
Log out of Oracle Privileged Account Manager and log in again.
Sometimes browser updates, flash updates, or bugs in ZeroClipboard can cause problems. You can check the ZeroClipboard Community Forum for more current issue information from the following link, or download the newest ZeroClipboard library files if needed:
How can I test if the Flash plug-in is properly installed in my environment?
Refer to the "Check if Flash Player is installed on your computer" section in the following link:
Which browsers support the Copy password to clipboard feature?
The ZeroClipboard library v1.x works in IE7 or later and most of the other major browsers. It is also fully compatible with Flash Player 10.
You can use My Oracle Support (formerly MetaLink) to help resolve Oracle Fusion Middleware problems. My Oracle Support contains several useful troubleshooting resources, such as:
Knowledge base articles
Community forums and discussions
Patches and upgrades
Certification information
Note:
You can also use My Oracle Support to log a service request.You can access My Oracle Support at https://support.oracle.com.