Oracle Fusion Middleware Oracle Access Management Bundle Patch Readme, OAM Bundle Patch 12.2.1.4.200327 Generic for all Server Platforms

Oracle® Fusion Middleware

Oracle Access Management Bundle Patch Readme

OAM Bundle Patch 12.2.1.4.200327 Generic for all Server Platforms

F29349-01

April 2020

This document describes OAM Bundle Patch 12.2.1.4.200327.

This document requires a base installation of Oracle Access Management 12c Patch Set 4 (12.2.1.4.0). This supersedes the documentation that accompanies Oracle Access Management 12c Patch Set 4 (12.2.1.4.0), it contains the following sections:

New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200327
Understanding Bundle Patches
Recommendations
Bundle Patch Requirements
Applying the Bundle Patch
Removing the Bundle Patch
Resolved Issues
Known Issues and Workarounds

1.1 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200327

Oracle Access Management 12.2.1.4.200327 BP includes the following new features and enhancements:

OAuth Consent Management

Provides capability for managing user consents, persisting user consents and providing mechanism to revoke them across DataCenters. Consent revocation capability is provided for both Administrators as well as individual users.

For details, see Enabling Consent Management and Enabling Consent Management on MDC in Administering Oracle Access Management
OAuth Just-In-Time (JIT) User Linking and Creation
Provides capability to provision users automatically. The idToken as received from IDP has user attributes. These user attributes can have values like userId, user name, first name, last name, email address, and so on, which could be used for linking users to entries in the local id store or create them, if they do not exist.

For details, see OAuth Just-In-Time (JIT) User Provisioning in Administering Oracle Access Management
OAM Snapshot Tool
Provides tooling to create a snapshot of the OAM IDM Domain with all its configurations, persist it, and use it for creating fully functional OAM IDM Domain clones.

For details, see Using the OAM Snapshot Tool in Administering Oracle Access Management
SAML Holder-of-Key (HOK) Profile Support
SAML Holder-of-Key (HOK) profile support is added for OAM when acting as an Identity Provider (IP). This support is with OCI Service Provider (SP) Partners.

For details, see the note OAM 12c Identity Provider (IDP) for SAML Profile Support with OCI Service Provider (SP) Partners (Doc ID 2657717.1) at https://support.oracle.com.

1.2 Understanding Bundle Patches

Describes Bundle Patches and explains differences between Bundle Patches, interim patches, and patch sets.

Bundle Patch
Patch Set

1.2.1 Bundle Patch

A bundle patch is an official Oracle patch for Oracle Fusion Middleware components on baseline platforms. In a bundle patch release string, the fifth digit indicated the bundle patch number. Effective November 2015, the version numbering format has changed. The new format replaces the numeric fifth digit of the bundle version with a release date in the form "YYMMDD" where:

YY is the last 2 digits of the year
MM is the numeric month (2 digits)
DD is the numeric day of the month (2 digits)

Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes. All of the fixes in the bundle patch have been tested and are certified to work with one another.

Each Bundle Patch is cumulative: the latest Bundle Patch includes all fixes in earlier Bundle Patches for the same release and platform. Fixes delivered in Bundle Patches are rolled into the next release.

1.2.2 Patch Set

A patch set is a mechanism for delivering fully tested and integrated product fixes that can be applied to installed components of the same release. Patch sets include all of the fixes available in previous Bundle Patches for the release. A patch set can also include new functionality.

Each patch set includes the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). However, a patch set might not be a complete software distribution and might not include packages for every component on every platform.

All of the fixes in the patch set have been tested and are certified to work with one another on the specified platforms.

1.3 Recommendations

Oracle has certified the dependent Middleware component patches for Identity Management products and recommends that Customers apply these certified patches.

For more information on these patches, see the note Certification of Underlying or Shared Component Patches for Identity Management Products (Doc ID 2627261.1) at https://support.oracle.com under this new section

1.4 Bundle Patch Requirements

To remain in an Oracle-supported state, apply the Bundle Patch to all installed components for which packages are provided. Oracle recommends that you:

Apply the latest Bundle Patch to all installed components in the bundle.
Keep OAM Server components at the same (or higher) Bundle Patch level as installed WebGates of the same release.

1.5 Applying the Bundle Patch

The following topics helps you, as you prepare and install the Bundle Patch files (or as you remove a Bundle Patch should you need to revert to your original installation):

Using the Oracle Patch Mechansim (Opatch)
Applying the OAM Bundle Patch
Recovering From a Failed Bundle Patch Application

Note:

Oracle recommends that you always install the latest Bundle Patch.

1.5.1 Using the Oracle Patch Mechanism (Opatch)

The Oracle patch mechanism (Opatch) is a Java-based utility that runs on all supported operating systems. Opatch requires installation of the Oracle Universal Installer.

Note:

Oracle recommends that you have the latest version of Opatch (version 13.9.4.2 or higher) from My Oracle Support. Opatch requires access to a valid Oracle Universal Installer (OUI) Inventory to apply patches.

Patching process uses both unzip and Opatch executables. After sourcing the ORACLE_HOME environment, Oracle recommends that you confirm that both of these exist before patching. Opatch is accessible at: $ORACLE_HOME/OPatch/opatch

When Opatch starts, it validates the patch to ensure there are no conflicts with the software already installed in your $ORACLE_HOME:

If you find conflicts with a patch already applied to the $ORACLE_HOME, stop the patch installation and contact Oracle Support Services.
If you find conflicts with a subset patch already applied to the $ORACLE_HOME, continue Bundle Patch application. The subset patch is automatically rolled back before installation of the new patch begins. The latest Bundle Patch contains all fixes from the previous Bundle Patch in $ORACLE_HOME.

This Bundle Patch is not -auto flag enabled. Without the -auto flag, no servers needs to be running. The Machine Name & Listen Address can be blank on a default install.

1.5.2 Applying the OAM Bundle Patch

Use information and steps here to apply the Bundle Patch from any platform using Oracle patch (Opatch). While individual command syntax might differ depending on your platform, the overall procedure is platform agnostic.

The files in each Bundle Patch are installed into the destination $ORACLE_HOME. This enables you to remove (roll back) the Bundle Patch even if you have deleted the original Bundle Patch files from the temporary directory you created.

Note:

Oracle recommends that you back up the $ORACLE_HOME using your preferred method before any patch operation. You can use any method (zip, cp -r, tar, and cpio) to compress the $ORACLE_HOME.

Formatting constraints in this document might force some sample text lines to wrap around. These line wraps should be ignored.

To apply the OAM Bundle Patch

Opatch is accessible at $ORACLE_HOME/OPatch/opatch. Before beginning the procedure to apply the Bundle Patch be sure to:

Set ORACLE_HOME

For example:
```
export ORACLE_HOME=/opt/oracle/mwhome
```
Run export PATH=<<Path of Opatch directory>>:$PATH to ensure that the Opatch executables appear in the system PATH. For example:
```
export PATH=$Oracle_HOME/OPatch:$PATH
```

Download the OAM patch p31088958_122140_Generic.zip
Unzip the patch zip file into the PATCH_TOP.

$ unzip -d PATCH_TOP p31088958_122140_Generic.zip

Note:

On Windows, the unzip command has a limitation of 256 characters in the path name. If you encounter this, use an alternate ZIP utility such as 7-Zip to unzip the patch.

For example: To unzip using 7-Zip, run the following command.

"c:\Program Files\7-Zip\7z.exe" x p31088958_122140_Generic.zip
Set your current directory to the directory where the patch is located.

$ cd PATCH_TOP/31088958
Log in as the same user who installed the base product and:
- Stop the AdminServer and all OAM Servers to which you will apply this Bundle Patch.
  
  Any application that uses this OAM Server and any OAM-protected servers will not be accessible during this period.
- Back up your $ORACLE_HOME: MW_HOME.
- Move the backup directory to another location and record this so you can locate it later, if needed.
Run the appropriate Opatch command as an administrator to ensure the required permissions are granted to update the central inventory and apply the patch to your $ORACLE_HOME. For example:
opatch apply
Windows 64-bit: opatch apply -jdk c:\path\to\jdk180

Note:
Opatch operates on one instance at a time. If you have multiple instances, you must repeat these steps for each instance.
Start all Servers (AdminServer and all OAM Servers).

1.5.3 Recovering From a Failed Bundle Patch Application

If the AdminServer does not start successfully, the Bundle Patch application has failed.

To recover from a failed Bundle Patch application

Confirm that there are no configuration issues with your patch application.
Confirm that you can start the AdminServer successfully.
Shut down the AdminServer and roll back the patch as described in Removing the Bundle Patch then perform patch application again.

1.6 Removing the Bundle Patch

If you want to rollback a Bundle Patch after it has been applied, perform the following steps. While individual command syntax might differ depending on your platform, the overall procedure is the same. After the Bundle Patch is removed, the system is restored to the state it was in immediately before patching.

Note:

Removing a Bundle Patch overrides any manual configuration changes that were made after applying the Bundle Patch. These changes must be re-applied manually after removing the patch.

Use Opatch 13.9.4.2.1 for rollback. If older versions of the Opatch is used for rollback, the following fail message is displayed:

C:\Users\<username>\Downloads\p31088958_122140_Generic\31088958
>c:\Oracle\oam12214\OPatch\opatch rollback -id 31088958
Oracle Interim Patch Installer version 13.9.2.0.0
Copyright (c) 2020, Oracle Corporation. All rights reserved.
......
The following actions have failed:
Malformed \uxxxx encoding.
Malformed \uxxxx encoding.

Follow these instructions to remove the Bundle Patch on any system.

To remove a Bundle Patch on any system

Perform steps in Applying the OAM Bundle Patch to set environment variables, verify the inventory, and shut down any services running from the ORACLE_HOME or host machine.
Change to the directory where the patch was unzipped. For example:cd PATCH_TOP/31088958
Back up the ORACLE_HOME directory that includes the Bundle Patch and move the backup to another location so you can locate it later.
Run Opatch to roll back the patch. For example:
```
opatch rollback -id 31088958
```
Start the servers (AdminServer and all OAM Servers) based on the mode you are using.
Re-apply the Bundle Patch, if needed, as described in Applying the Bundle Patch.

1.7 Resolved Issues

This chapter describes resolved issues in this Bundle Patch.

This Bundle Patch provides the fixes described in the below section:

Resolved Issues in OAM Bundle Patch 12.2.1.4.200327
Resolved Issues in OAM Bundle Patch 12.2.1.4.191223

1.7.1 Resolved Issues in OAM Bundle Patch 12.2.1.4.200327

Applying this bundle patch resolves the issues listed in the following table:

Table 1-1 Resolved Issues in OAM Bundle Patch 12.2.1.4.200327

Base Bug Number	Description of the Problem
30805180	OAM Snapshot Tool
30805164	OAUTH CONSENT LIFECYCLE MANAGMENT AND MDC SUPPORT
30805154	OAUTH JUST IN TIME /JIT PROVISIONING
30820170	AUTHORIZATION ERROR WITH USER MEMBER LARGE NUMBER OF GROUP
30792754	MDC ENV. CUSTOM ATTRIBUTES ARE NOT INCLUDED IN ACCESS TOKEN
21391069	NEED TO LOG AUTHENTICATION FAILURE AUDIT LOG FROM CUSTOM PLUGIN
29717855	SAML LOGOUT NOT WORKING IF OLD FED SESSIONS EXIST IN DB
29240849	NEED TO LOG ADDITIONAL AUTHENTICATION FAILURE FOR AUDIT LOG FROM CUSTOM PLUGIN
30634571	12C OAUTH AUDIT RECORDS RETURN NULL VALUES FOR OAUTHTOKENVALIDATE EVENTS
30571576	K8S : OAM_ADMIN AND OAM_SERVER APPLICATION DEPLOYMENT FAILED K8S CLUSTER
29783271	UPDATE OF OUD DETAILS DELETES CONFIG ATTRIBUTE ENTRY ADDED FROM OAM-CONFIG.XML
29885236	ENABLED MULTIVALUEGROUPS SP USE $USER.GROUPS TWICE IN A FED SP ATTRIBUTE PROFILE
30134427	Fix for Bug 30134427
30169956	OAUTH PASSWORD GRANT TYPE CAN ONLY USE NON-PLUGIN LDAP MODULE FOR AUTHENTICATION
30213267	DCC WEBGATE TUNNELING FOR ADF CUSTOM LOGIN PAGE NOT WORKING This fix enables tunneling for custom pages using chunked transfer-encoding. It also provides a way to specify the read-timeout on connections used to fetch custom pages from managed server using the Webgate's user-defined parameter `tunnelingDCCReadTimeout`. Specify the `tunnelingDCCReadTimeout` in seconds, for example, `tunnelingDCCReadTimeout=30`. Note: When specifying `tunnelingDCCReadTimeout`, you must also increase `aaaTimeoutThreshold` accordingly.
30460435	DCC TUNNELING WHITELIST CAN NOT BE DISABLED USING ENABLEWHITELISTVALIDATIONDCCTUNNELING CONFIG
30426370	OAM 12.2.1.4:DOWNLOADACCESSARTIFACTS: SEVERE:REQUEST TO PROCESS ARTIFACTS FAILED
30468914	OAM DOES NOT SUPPORT HOLDER OF KEY PROFILE.
30069618	OAMAGENT-02077: AUTHN TOKEN IS EITHER NULL OR INVALID

1.7.2 Resolved Issues in OAM Bundle Patch 12.2.1.4.191223

Applying this bundle patch resolves the issues listed in the following table:

Table 1-2 Resolved Issues in OAM Bundle Patch 12.2.1.4.191223

Base Bug Number	Description of the Problem
26679791	FIX FOR BUG 25898731 IS FAILING IN OAM 11.1.2.3.171017BP 26540179
30389257	TWO FACTOR AUTHENTICATION ENTRY TEXTBOX DOES NOT GAIN FOCUS
30311080	OIGOAMINTEGRATION.SH -CONFIGURESSOINTEGRATION THROWS UNMARSHAL EXCEPTION IN FRESH 12CPS4 ENV
30156706	OAM ADMIN SERVER START FAILS DUE TO FAIL TO CREATE OAM-CONFIG.XML FROM DBSTORE
29771448	% CHAR IN PASSWORD USED TO GENERATE OAUTH ACCESS TOKEN IS TRANSLATED TO ASCII
30144617	ISSUE ON CHANGE IN BEHAVIOR IN RETURNING ERRORCODE AFTER APPLYING PATCH 29918603
29482858	OAM 11G ASDK INTERMITTENTLY THROWING ERROR WHILE CREATING OBSSOCOOKIE
29541818	ER TO ADDRESSING ADDITIONAL USE CASES OF OAUTH AND JSON IN OAM 12C
29837657	OAM DOES SUBTREE SEARCH TO VALIDATE IDSTORE CREATION
29290091	WRONG SELECT IN ADMIN STARTUP LOGS
30156607	DIAG: ADD MORE LOGS IN AMKEYSTORE VALIDATION FLOW TO IDENTIFY CONFIG THAT CAUSES TO FAIL TO START ADMIN SERVER
30243111	DIAG: REQUIRE LOGS IN DEFAULT KEYSTORE BOOTSTRAPPING FLOW TO IDENTIFY CONFIG MISSING/CORRUPTION ISSUE
30180492	OCI FEDERATION WITH ORACLE ACCESS MANAGER IS NOT WORKING AS EXPECTED
30363797	OAM11GR2PS3 : WNA_DCC MODULE IS FAILING WITH SECURITY BUG FIX :25963019
29649734	12.2.1.3.180904 (BP04) ACCESS SERVER RETURNS JSON KEY AND NOT P7B LIKE DOCUMENT
30062772	FEDERATION BP18 CAUSES LOGOUT END_URL TO BE CONVERTED TO LOWER CASE IN FED LOGOU
30176378	ERRORS IN OAM SERVER LOGS AFTER RUNNING WLST COMMAND DISABLESKIPAUTHNRULEEVAL()
30267123	UNABLE TO LOGIN FROM MULTIPLE TABS AFTER LOGGING IN FROM A TAB.

1.8 Known Issues and Workarounds

For known issues and workarounds refer to My Oracle Support Document 2602696.1 at https://support.oracle.com

Oracle Fusion Middleware Oracle Access Management Bundle Patch Readme, OAM Bundle Patch 12.2.1.4.200327 Generic for all Server Platforms

F29349-01

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or “commercial computer software documentation” pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.