Oracle Fusion Middleware Oracle Access Management Bundle Patch Readme, OAM Bundle Patch 12.2.1.4.240109 Generic for all Server Platforms

This document describes OAM Bundle Patch 12.2.1.4.240109.

This document requires a base installation of Oracle Access Management 12c Patch Set 4 (12.2.1.4.0). This supersedes the documentation that accompanies Oracle Access Management 12c Patch Set 4 (12.2.1.4.0), it contains the following sections:

New Features and Enhancements in OAM Bundle Patch 12.2.1.4.240109
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.231005
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.230628
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220906
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220404
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220113
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.210920
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.210408
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.201201
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200909
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200629
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200327
Understanding Bundle Patches
Recommendations
Bundle Patch Requirements
Applying the Bundle Patch
Removing the Bundle Patch
Resolved Issues
Known Issues and Workarounds

1.1 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.240109

Oracle Access Management 12.2.1.4.240109 BP includes the following new features and enhancements:

Propagating error code from OAA application to OAM login page
This bug fix propagates an error code from Oracle Advanced Authentication (OAA) application to OAM login page. Login page can be customized to show the error message propagated from OAA.
The following error codes are supported:
- Error code:OAA-00001
  
  Reason: User Registration was incomplete.
  
  Cause: No factors registered.
- Error code: OAA-00002
  
  Reason: User did not have any usable factors.
  
  Cause: Maxed out of allowed authentication attempts. Matching factor(s) are disabled. No required factor(s) available for matching Policy.
- Error code: OAA-00003
  
  Reason: User authentication failure.
  
  Cause: User did not submit valid authentication data.
- Error code: OAA-00004
  
  Reason: System temporarily unavailable.
  
  Cause: Unexpected failure in Service during login. For example, Failure to send a challenge (Push, Email, SMS), Database outage.
Enhancing OAM Session Management endpoints
Introduced a mechanism to authorize OAM endpoints using TAP Tokens.
Added Null checks for programmatic Authn REST Interfaces
The following fixes are made as a part of this enhancement:
- Resolved the Null Pointer Exception that occurs when No Auth is selected as the authentication method.
- In the session validate API, Null Pointer throws an exception when a random string is supplied as an OAM_RM token.

Added PublicClientRefreshTokenEnabled client custom attribute to obtain a refresh token with a public client

By default it is not possible to obtain a refresh token with a public client. The PublicClientRefreshTokenEnabled client custom attribute allows to change this behavior. To enable the feature set the attribute value to true. For example, create the oauth public client with the following command:

curl -X POST http://<AdminServerHost:Port>/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client -H 'Authorization:Basic d2VibG9naWM6d2VsY29tZTE=' -H 'Content-Type: application/json' -d '{"id":"PublicClientId","name":"PublicClient","scopes":["ResServer1.scope1"],"clientType":"PUBLIC_CLIENT","secret":"welcome1","idDomain":"TestDomain1","description":"Client Description","grantTypes":["PASSWORD","CLIENT_CREDENTIALS","JWT_BEARER","REFRESH_TOKEN","AUTHORIZATION_CODE"],"defaultScope":"ResourceServerOud1.scope1","redirectURIs":[{"url":http://localhost:8080/Sample.jsp,"isHttps":true}], "attributes":[{"attrName":"PublicClientRefreshTokenEnabled","attrValue":"true","attrType":"static"}]}'

Added GrantTypeRefreshTokenEnabled client custom attribute to return refresh token along with a new access token
By default, when the grant type is refresh_token, only a new access token is returned. The GrantTypeRefreshTokenEnabled client custom attribute allows to have a refresh token returned as well. To enable the feature set the attribute value to true. For example create the oauth confidential client with the following command:
```
curl -X POST http://<AdminServerHost:Port>/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client -H 'Authorization:Basic d2VibG9naWM6d2VsY29tZTE=' -H 'Content-Type: application/json' -d '{"id":"TestClientId","name":"TestClient","scopes":["ResServer1.scope1"],"clientType":"CONFIDENTIAL_CLIENT","secret":"welcome1","idDomain":"TestDomain1","description":"Client Description","grantTypes":["PASSWORD","CLIENT_CREDENTIALS","JWT_BEARER","REFRESH_TOKEN","AUTHORIZATION_CODE"],"defaultScope":"ResServer1.scope1","redirectURIs":[{"url":http://localhost:8080/Sample.jsp,"isHttps":true}], "attributes":[{"attrName":"GrantTypeRefreshTokenEnabled","attrValue":"true","attrType":"static"}]}'
```
Note:
To revoke the old refresh_token while invoking the refresh_token grant type set the system property -Doauth.auto.revoke.enabled=true. The default value of this system property is false
Support for Response_mode in the authorization code grant flow
This enhancement allows 3-legged OAM OAuth 2.0 workflow API (/oauth2/rest/authorize) to respond in different modes like fragment , query or form_post by specifying response_mode as query parameter.
Support for 3-legged OAuth 2.0 workflow to return appropriate response mode
This enhancement ensures that 3-legged OAM OAuth 2.0 workflow API (/oauth2/rest/authorize) returns appropriate response mode response_mode=form_post if consent expiry time has been set.
Support for limiting PIN generation during the Second Factor Authentication
New properties MaxSendAttempts and MaxSendAttemptsLockoutEnabled are added to the Adaptive Authentication Plugin to limit the PIN generation during the Second Factor Authentication. For details, see Limiting PIN Generation During the Second Factor Authentication.

1.2 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.231005

Oracle Access Management 12.2.1.4.231005 BP includes the following new features and enhancements:

New parameter to fetch the authorization grant details
Added a new parameter response_mode to fetch the authorization grants to redirect_uri. For details, see Table 39-7 Parameter Values for response_mode.
Support for authentication in multiple browser tabs
OAM supports multi-tab feature when serverRequestCacheType parameter is set to COOKIE. For details, see Supporting Authentication in Multiple Browser Tabs.
OAM OAuth2 runtime endpoint to support domain as a query parameter
A new query parameter identityDomain is added to the oauth2 runtime endpoint instead of the header parameter X-OAUTH-IDENTITY-DOMAIN-NAME. The header parameter X-OAUTH-IDENTITY-DOMAIN-NAME is not required when identityDomain is provided. If both parameters are used, X-OAUTH-IDENTITY-DOMAIN-NAME will take precedence over identityDomain. For details, see:
OAM OAuth2 token validation URL supports passing access_token both as a header and as a query parameter
The access_token can be passed either as a header parameter or as a query parameter in the token validation URL. New syntax to initiate access_token as a header and as a query parameter are included in the REST API for OAuth. For details, see Validate Access Token Flow.

1.3 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.230628

Oracle Access Management 12.2.1.4.230628 BP includes the following new features and enhancements:

Support for administering a Secret Key
OAM supports administering a secret key using an access token with the BEARER authorization header by enabling the Secret Key Lifecycle feature.

For more information, see Administering a Secret Key.
Access Token Exchange Support in OAM
Support for token exchange is made available in this release.

For more information, see Token Exchange Support in OAM.
OpenIdConnectPlugin plugin to set tokens as session responses
OIDC token values can be retrieved using policy authorization responses (header or cookie) using the following expressions:
- For access token: $session.attr.oidc.token.access
- For the refresh token: $session.attr.oidc.token.refresh
- For the ID token: $session.attr.oidc.token.id
In a custom plugin, the following authentication context parameters can be used to obtain access token information:
- token_response: full response from the token endpoint
- access_token: access token value
- refresh_token: refresh token value
- idtoken: id token value
Functionality to allow cache controlled by request URL
Introduce an exception list to avoid caching of authorization policy results on Webgate specific resources. Following WLSTs are available for managing the exception list:
```
configureWGAuthzCachingExceptionListUrls(noCacheURL, action)
```
Example: configureWGAuthzCachingExceptionListUrls("exceptionUrl", "add/remove")
- This WLST can be used to add/remove URLs from Webgate Authorization Caching Exception List on OAM Server.
- 'action' can be specified as 'add' or 'remove' to operate accordingly on ExceptionList
```
configureWGAuthzCachingExceptionList(enabled, matchCriteria = "exactMatch", withQuery = "false")
```
Example: configureWGAuthzCachingExceptionList("true/false", matchCriteria = "exactMatch/startsWith", withQuery = "true/false")
- This WLST can be used to enable/disable Webgate Authorization Caching Exception List on OAM Server.
- 'matchCriteria' can be specified as 'exactMatch' or 'startsWith', with default being 'exactMatch'
- 'withQuery' can be specified as 'true' or 'false', with 'false' being the default meaning query-string from URL in Webgate authorization request will be ignored.

1.4 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220906

Oracle Access Management 12.2.1.4.220906 BP includes the following new features and enhancements:

Federation partners support certificates using RSASSA-PSS signature algorithms
12cPS4 Oct BP includes support for the Signature Algorithm SHA256-RSA-MGF1.

Note:
This update is dependent on OWSM patch 34839859.

For details, see Configuring RSA OAEP Key Transport Digest and MGF Digest.
The OAuth Client GET REST API is enhanced to retrieve the client secret
For use cases that require the administrators to display the client secret for registered clients in their admin portals. This feature needs to be enabled using a configuration post applying the patch for the new behavior to take effect, and the secret for the clients that get registered after enabling this feature can retrieved using the API. For existing clients that were registered before enabling the feature, the previous behavior of returning hashed secrets will continue.

For details, see Manage OAuth Client Secret Retrieval.

1.5 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220404

Oracle Access Management 12.2.1.4.220404 BP includes the following new features and enhancements:

Make the OAM_ID cookie domain-scoped, instead of host scoped

Support has been added to add a cookie domain for the OAM_ID cookie. This can be enabled by setting the configuration parameter SSOCookieDomainEnabled to true. The cookie domain for the cookie must be set through the configuration property: SSOCookieDomain. These updates must be done in the oam-config.xml file and use the import utility to update the change. A server restart is required after the import.

For details, see bug 33291908 in Table 1-8.

1.6 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220113

Oracle Access Management 12.2.1.4.220113 BP includes the following new features and enhancements:

Support for OAuth Custom Claims Plugin

For details, see the note Oracle Access Manager (OAM) Federation Protocol OAUth - Elaborated Steps For <Patch:28228295> (Doc ID 2817030.1) at https://support.oracle.com

1.7 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.210920

Oracle Access Management 12.2.1.4.210920 BP includes the following new features and enhancements:

OAM SAML 2.0 Supported Encryption Algorithms

OAM supports AES-GCM encryption modes.

For details, see OAM SAML 2.0 Supported Encryption Algorithms and Changing Default Encryption Algorithm
Two-way SSL for OAP over REST Communication.

You can enable mutual authentication for OAP over REST between WebGate and OAM Server, therefore ensuring that the Server communicates with authentic clients.

For details, see Enabling two-way SSL for OAP over REST
TOTP-based Multi Factor Authentication in OAM

You can configure MFA using the configureMFA command with config-utility.jar

For details, see Configuring TOTP-based Multi Factor Authentication in OAM
Token Signing Using Third-Party Certificates

Access tokens can be signed using a self-signed key pair generated out-of-the-box. In this release, OAM extends the support to allow signing of access tokens using third-party key pairs.

For details, see Token Signing Using Third-Party Certificates
Mutual-TLS (mTLS) Client Authentication in OAM

In TLS authentication, the server confirms its identity by producing a certificate (public key), which is then verified by the TLS verification process. In mTLS (mutual-TLS), along with the server, the client's identity is also verified. The TLS handshake is utilized to validate the client's possession of the private key corresponding to the public key in the certificate and to validate the corresponding certificate chain.

For details, see Configuring Client Authentication and Configuring mTLS Client Authentication
Custom Claims

OAM extends the ability to define the custom claims using templates that can be configured at client or domain level. The custom claims can be included in all the access tokens, ID tokens and userinfo. You can also perform value transformation as well as value filtering of the custom claim.

For details, see Custom Claims
OAuth Access Token Maximum Size

Default OAuth access token length limit has been increased to 7500. This value can be overridden using the OAuth Identity domain custom parameter: accessTokenMaxLength.
OAuth Client Update - Support for PATCH Request

Introduces support for PATCH request during modification of OAuth clients. With PATCH operation, OAM appends existing scopes with values from the request. Similar behavior is provided for redirect_uris, grant types, and custom attributes. The existing PUT operation replaces the contents of OAuth client parameters with the values from the request.

1.8 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.210408

Oracle Access Management 12.2.1.4.210408 BP includes the following new features and enhancements:

Session Management Optimizations

Session Management Engine has been optimized and tuned to provide improved system performance under load.

Also see, Database Tuning for Oracle Access Management in the Tuning Performance Guide
OAuth Refresh Token Management

OAuth Token Management capabilities have been enhanced with the ability to invalidate Refresh Tokens.

For details, see Revoking OAuth Tokens in Administering Oracle Access Management
12c WebGates for Apache and IIS Web Servers

WebGates for IIS and Apache Web Servers are made available in this release.

For details, see Installing and Configuring IIS 12c WebGate for OAM in Installing WebGates for Oracle Access Manager
Support for TLS 1.3 & FIPS 140-2

This release is compliant with the latest FIPS and TLS standards and versions.

For details, see Enabling FIPS Mode on Oracle Access Management and TLS 1.3 and TLS 1.2 Support in Oracle Access Management in Administering Oracle Access Management

1.9 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.201201

Oracle Access Management 12.2.1.4.201201 BP includes the following new features and enhancements:

Proof Key for Code Exchange (PKCE) Support in OAM

Introduces PKCE support in the existing OAM OAuth Authorization Code Grant Flow. It can be used to enhance the security of the existing 3-legged OAuth, mitigating possible authorization code interception attacks. You can enable PKCE at the domain level or just for a specific client.

For details, see Proof Key for Code Exchange (PKCE) Support in OAM in Administering Oracle Access Management
Keep the OAUTH_TOKEN Response Unset

OAM provides an option to not set the OAUTH_TOKEN cookie or header when SSO Session Linking is enabled. You must set the challenge parameter IS_OAUTH_TOKEN_RESPONSE_SET to false.

Note:
If IS_OAUTH_TOKEN_RESPONSE_SET is not configured, or set to true then the OAUTH_TOKEN cookie/header is set.

1.10 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200909

Oracle Access Management 12.2.1.4.200909 BP includes the following new features and enhancements:

Support for AWS Role Mapping Attribute in SAML Response

Introduces a new function that can be configured in SP Attribute Profile for supporting the AWS role mapping attribute in SAML response.

For details, see AWS Role Mapping Attribute in SAML Response in Administering Oracle Access Management
Support for Attribute Value Mapping and Filters in OAM Federation

OAM federation supported Attribute Name Mapping. It extends the support for Attribute Value Mapping and Attribute Filtering features.

For details, see Using Attribute Value Mapping and Filtering in Administering Oracle Access Management

1.11 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200629

Oracle Access Management 12.2.1.4.200629 BP includes the following new features and enhancements:

Support for SameSite=None Attribute in OAM Cookies

OAM adds SameSite=None attribute to all the cookies set by WebGate and OAM Server.
Note:
- You must also download and upgrade to the latest WebGate Patch for this feature to work. For details, see the note Support for SameSite Attribute in Webgate (Doc ID 2687940.1) at https://support.oracle.com.
- See also the note Oracle Access Manager (OAM): Impact Of SameSite Attribute Semantics (Doc ID 2634852.1) at https://support.oracle.com.
Optional Configurations on OAM Server
- If SSL/TLS is terminated on Load Balancer (LBR) and OAM server is not running in SSL/TLS mode, set the following system property in setDomainEnv.sh: -Doam.samesite.flag.value=None;secure
  Alternatively, you can propagate SSL/TLS context from the LBR or Web Tier to OAM Server. For details, see Doc ID 1569732.1 at https://support.oracle.com.
- To disable the inclusion of SameSite=None by OAM Server, set the following system property in setDomainEnv.sh: -Doam.samesite.flag.enable=false
- To set SameSite=None for non-SSL/TLS HTTP connections, set the following system property in setDomainEnv.sh: -Doam.samesite.flag.enableNoneWithoutSecure=true
Example - To add the system properties to setDomainEnv.sh:
1. Stop all the Administration and Managed Servers.
2. Edit the $OAM_DOMAIN_HOME/bin/setDomainEnv.sh, and add the properties as shown:
```
EXTRA_JAVA_PROPERTIES="-Doam.samesite.flag.enable=false ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
```
3. Start the Administration and Managed Servers.
Optional Configurations for WebGate
- If SSL/TLS is terminated on LBR and OAM Webgate WebServer is not running in SSL/TLS mode, set the ProxySSLHeaderVar in the User Defined Parameters configuration to ensure that WebGate treats the requests as SSL/TLS. For details, see User-Defined WebGate Parameters.
- To disable inclusion of SameSite=None by OAM WebGate, set SameSite=disabled in the User Defined Parameters configuration on the console. This is a per-agent configuration.
- To set SameSite=None for non-SSL HTTP connections, set EnableSameSiteNoneWithoutSecure=true in the User Defined Parameters configuration on the console. This is a per-agent configuration.
Note:

In deployments using mixed SSL/TLS and non-SSL/TLS components: For non-SSL/TLS access, OAM Server and Webgate do not set SameSite=None on cookies. Some browsers (for example, Google Chrome) do not allow SameSite=None setting on non-secure (non-SSL/TLS access) cookies, and therefore, may not set cookies if a mismatch is found.

Therefore, it is recommended that such mixed SSL/TLS and non-SSL/TLS deployments are moved to SSL/TLS Only deployments to strengthen the overall security.

X.509 Authentication with Extended Key Usage (EKU)

In X.509 authentication flows, Extended Key Usage (EKU) certification extension check can be added optionally to ensure that the usage of the certificate is allowed.

For details, see X.509 Authentication Using Extended Key Usage (EKU) in Administering Oracle Access Management.

1.12 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200327

Oracle Access Management 12.2.1.4.200327 BP includes the following new features and enhancements:

OAuth Consent Management

Provides capability for managing user consents, persisting user consents and providing mechanism to revoke them across Data Centers. Consent revocation capability is provided for both Administrators as well as individual users.

For details, see Enabling Consent Management and Enabling Consent Management on MDC in Administering Oracle Access Management
OAuth Just-In-Time (JIT) User Linking and Creation
Provides capability to provision users automatically. The idToken as received from IDP has user attributes. These user attributes can have values like userId, user name, first name, last name, email address, and so on, which could be used for linking users to entries in the local id store or create them, if they do not exist.

For details, see OAuth Just-In-Time (JIT) User Provisioning in Administering Oracle Access Management
OAM Snapshot Tool
Provides tooling to create a snapshot of the OAM IDM Domain with all its configurations, persist it, and use it for creating fully functional OAM IDM Domain clones.

For details, see Using the OAM Snapshot Tool in Administering Oracle Access Management
SAML Holder-of-Key (HOK) Profile Support
SAML Holder-of-Key (HOK) profile support is added for OAM when acting as an Identity Provider (IP). This support is with OCI Service Provider (SP) Partners.

For details, see the note OAM 12c Identity Provider (IDP) for SAML Profile Support with OCI Service Provider (SP) Partners (Doc ID 2657717.1) at https://support.oracle.com.

1.13 Understanding Bundle Patches

Describes Bundle Patches and explains differences between Stack Patch Bundle, Bundle Patches, interim patches, and patch sets.

Stack Patch Bundle
Bundle Patch
Patch Set

1.13.1 Stack Patch Bundle

Stack patch Bundle deploys the IDM product and dependent FMW patches using a tool. For more information about these patches, see Quarterly Stack Patch Bundles (Doc ID 2657920.1) at https://support.oracle.com.

1.13.2 Bundle Patch

A bundle patch is an official Oracle patch for Oracle Fusion Middleware components on baseline platforms. In a bundle patch release string, the fifth digit indicated the bundle patch number. Effective November 2015, the version numbering format has changed. The new format replaces the numeric fifth digit of the bundle version with a release date in the form "YYMMDD" where:

YY is the last 2 digits of the year
MM is the numeric month (2 digits)
DD is the numeric day of the month (2 digits)

Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes. All of the fixes in the bundle patch have been tested and are certified to work with one another.

Each Bundle Patch is cumulative: the latest Bundle Patch includes all fixes in earlier Bundle Patches for the same release and platform. Fixes delivered in Bundle Patches are rolled into the next release.

1.13.3 Patch Set

A patch set is a mechanism for delivering fully tested and integrated product fixes that can be applied to installed components of the same release. Patch sets include all of the fixes available in previous Bundle Patches for the release. A patch set can also include new functionality.

Each patch set includes the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). However, a patch set might not be a complete software distribution and might not include packages for every component on every platform.

All of the fixes in the patch set have been tested and are certified to work with one another on the specified platforms.

1.14 Recommendations

Oracle has certified the dependent Middleware component patches for Identity Management products and recommends that Customers apply these certified patches.

For more information on these patches, see the note Certification of Underlying or Shared Component Patches for Identity Management Products (Doc ID 2627261.1) at https://support.oracle.com.

1.15 Bundle Patch Requirements

To remain in an Oracle-supported state, apply the Bundle Patch to all installed components for which packages are provided. Oracle recommends that you:

Apply the latest Bundle Patch to all installed components in the bundle.
Keep OAM Server components at the same (or higher) Bundle Patch level as installed WebGates of the same release.

1.16 Applying the Bundle Patch

The following topics help you, as you prepare and install the Bundle Patch files (or as you remove a Bundle Patch should you need to revert to your original installation):

Using the Oracle Patch Mechansim (Opatch)
Applying the OAM Bundle Patch
Recovering From a Failed Bundle Patch Application

Note:

You must install the following mandatory patches:
- OPSS: 33950717
- OPSS one-off: 34302154
- OWSM: 35868571
- OINAV: 35780760
- WLS Patch: 36155700
- libovd: 34065178
- EM one-off: 34542329
- ADF: 36074941
- Coherence: 36068046
- FMW Thirdparty Bundle: 36086980
From March 2024, the Oracle Access Manager (OAM) components using SIMPLE-mode certificates for communication will not work, resulting in an outage in the OAM environment, unless preventive measures are taken. For more information, see March 2024 Expiration Of The Oracle Access Manager (OAM) Out Of The Box Certificates (Doc ID 2949379.1) at https://support.oracle.com.

1.16.1 Using the Oracle Patch Mechanism (Opatch)

The Oracle patch mechanism (Opatch) is a Java-based utility that runs on all supported operating systems. Opatch requires installation of the Oracle Universal Installer.

Note:

Oracle recommends that you have the latest version of Opatch from My Oracle Support. Opatch requires access to a valid Oracle Universal Installer (OUI) Inventory to apply patches.

Patching process uses both unzip and Opatch executables. After sourcing the ORACLE_HOME environment, Oracle recommends that you confirm that both of these exist before patching. Opatch is accessible at: $ORACLE_HOME/OPatch/opatch

When Opatch starts, it validates the patch to ensure there are no conflicts with the software already installed in your $ORACLE_HOME:

If you find conflicts with a patch already applied to the $ORACLE_HOME, stop the patch installation and contact Oracle Support Services.
If you find conflicts with a subset patch already applied to the $ORACLE_HOME, continue Bundle Patch application. The subset patch is automatically rolled back before installation of the new patch begins. The latest Bundle Patch contains all fixes from the previous Bundle Patch in $ORACLE_HOME.

This Bundle Patch is not -auto flag enabled. Without the -auto flag, no servers needs to be running. The Machine Name & Listen Address can be blank on a default install.

1.16.2 Applying the OAM Bundle Patch

Use information and steps here to apply the Bundle Patch from any platform using Oracle patch (Opatch). While individual command syntax might differ depending on your platform, the overall procedure is platform agnostic.

The files in each Bundle Patch are installed into the destination $ORACLE_HOME. This enables you to remove (roll back) the Bundle Patch even if you have deleted the original Bundle Patch files from the temporary directory you created.

Note:

Oracle recommends that you back up the $ORACLE_HOME using your preferred method before any patch operation. You can use any method (zip, cp -r, tar, and cpio) to compress the $ORACLE_HOME.

Formatting constraints in this document might force some sample text lines to wrap around. These line wraps should be ignored.

To apply the OAM Bundle Patch

Opatch is accessible at $ORACLE_HOME/OPatch/opatch. Before beginning the procedure to apply the Bundle Patch be sure to:

Set ORACLE_HOME

For example:
```
export ORACLE_HOME=/opt/oracle/mwhome
```
Run export PATH=<<Path of Opatch directory>>:$PATH to ensure that the Opatch executables appear in the system PATH. For example:
```
export PATH=$Oracle_HOME/OPatch:$PATH
```

Download the OAM patch p36170239_122140_Generic.zip
Unzip the patch zip file into the PATCH_TOP.

$ unzip -d PATCH_TOP p36170239_122140_Generic.zip

Note:

On Windows, the unzip command has a limitation of 256 characters in the path name. If you encounter this, use an alternate ZIP utility such as 7-Zip to unzip the patch.

For example: To unzip using 7-Zip, run the following command.

"c:\Program Files\7-Zip\7z.exe" x p36170239_122140_Generic.zip
Set your current directory to the directory where the patch is located.

$ cd PATCH_TOP/36170239
Log in as the same user who installed the base product and:
- Stop the AdminServer and all OAM Servers to which you will apply this Bundle Patch.
  
  Any application that uses this OAM Server and any OAM-protected servers will not be accessible during this period.
- Back up your $ORACLE_HOME: MW_HOME.
- Move the backup directory to another location and record this so you can locate it later, if needed.
Run the appropriate Opatch command as an administrator to ensure the required permissions are granted to update the central inventory and apply the patch to your $ORACLE_HOME. For example:
opatch apply
Windows 64-bit: opatch apply -jdk c:\path\to\jdk180

Note:
Opatch operates on one instance at a time. If you have multiple instances, you must repeat these steps for each instance.
Start all Servers (AdminServer and all OAM Servers).

1.16.3 Applying the OAM Bundle Patch in Multi Data Center (MDC)

Use information and steps here to apply the Bundle Patch in an MDC setup.

It is recommended that you upgrade or patch the Master data center followed by each of the Clone data centers.

Perform the following steps to apply the patch in an MDC setup.

Upgrade or apply the patch on the Master data center. For more information, see Applying the OAM Bundle Patch
Disable Automated Policy Synchronization (APS) between Master and the Clone data center that needs to be patched. For details, see Disabling Automated Policy Synchronization in Administering Oracle Access Management
Ensure that WriteEnabledFlag is true in oam-config.xml. If it is not enabled, set the WriteEnabledFlag to true in Clone data center using the following WLST commands.
```
connect('weblogic','XXXX','t3://localhost:7001')
     domainRuntime()
     setMultiDataCenterWrite(WriteEnabledFlag="true")
```
Upgrade or apply the patch on the Clone data center.
Change the WriteEnabledFlag to false in the Clone data center using the following WLST commands:
```
connect('weblogic','XXXX','t3://localhost:7001')
     domainRuntime()
     setMultiDataCenterWrite(WriteEnabledFlag="false")
```
Note:
Clone must be made write-protected before enabling APS to ensure that there are no inconsistencies between the data centers
Re-enable APS between Master and the upgraded Clone data center. For details, see Enabling Automated Policy Synchronization in Administering Oracle Access Management

1.16.4 Recovering From a Failed Bundle Patch Application

If the AdminServer does not start successfully, the Bundle Patch application has failed.

To recover from a failed Bundle Patch application

Confirm that there are no configuration issues with your patch application.
Confirm that you can start the AdminServer successfully.
Shut down the AdminServer and roll back the patch as described in Removing the Bundle Patch then perform patch application again.

1.17 Removing the Bundle Patch

If you want to rollback a Bundle Patch after it has been applied, perform the following steps. While individual command syntax might differ depending on your platform, the overall procedure is the same. After the Bundle Patch is removed, the system is restored to the state it was in immediately before patching.

Note:

Removing a Bundle Patch overrides any manual configuration changes that were made after applying the Bundle Patch. These changes must be re-applied manually after removing the patch.

Use the latest version of Opatch for rollback. If older versions of the Opatch is used for rollback, the following fail message is displayed:

C:\Users\<username>\Downloads\p36170239_122140_Generic\36170239  
>c:\Oracle\oam12214\OPatch\opatch rollback -id 36170239
Oracle Interim Patch Installer version 13.9.2.0.0
Copyright (c) 2020, Oracle Corporation. All rights reserved.
......
The following actions have failed:
Malformed \uxxxx encoding.
Malformed \uxxxx encoding.

Follow these instructions to remove the Bundle Patch on any system.

To remove a Bundle Patch on any system

Perform steps in Applying the OAM Bundle Patch to set environment variables, verify the inventory, and shut down any services running from the ORACLE_HOME or host machine.
Change to the directory where the patch was unzipped. For example: cd PATCH_TOP/36170239
Back up the ORACLE_HOME directory that includes the Bundle Patch and move the backup to another location so you can locate it later.
Run Opatch to roll back the patch. For example:
```
opatch rollback -id 36170239
```
Start the servers (AdminServer and all OAM Servers) based on the mode you are using.
Re-apply the Bundle Patch, if needed, as described in Applying the Bundle Patch.

1.18 Resolved Issues

This chapter describes resolved issues in this Bundle Patch.

This Bundle Patch provides the fixes described in the below section:

Resolved Issues in OAM Bundle Patch 12.2.1.4.240109
Resolved Issues in OAM Bundle Patch 12.2.1.4.231005
Resolved Issues in OAM Bundle Patch 12.2.1.4.230628
Resolved Issues in OAM Bundle Patch 12.2.1.4.230317
Resolved Issues in OAM Bundle Patch 12.2.1.4.221208
Resolved Issues in OAM Bundle Patch 12.2.1.4.220906
Resolved Issues in OAM Bundle Patch 12.2.1.4.220623
Resolved Issues in OAM Bundle Patch 12.2.1.4.220404
Resolved Issues in OAM Bundle Patch 12.2.1.4.220113
Resolved Issues in OAM Bundle Patch 12.2.1.4.210920
Resolved Issues in OAM Bundle Patch 12.2.1.4.210607
Resolved Issues in OAM Bundle Patch 12.2.1.4.210408
Resolved Issues in OAM Bundle Patch 12.2.1.4.201201
Resolved Issues in OAM Bundle Patch 12.2.1.4.200909
Resolved Issues in OAM Bundle Patch 12.2.1.4.200629
Resolved Issues in OAM Bundle Patch 12.2.1.4.200327
Resolved Issues in OAM Bundle Patch 12.2.1.4.191223