Oracle Access Management Bundle Patch Release Notes, Bundle Patch 12c (12.2.1.3.180904) Generic for all Server Platforms

Oracle® Access Management

Bundle Patch Release Notes

Bundle Patch 12c (12.2.1.3.180904) Generic for all Server Platforms

E99723-01

October 2018

This document describes Bundle Patch 12c Release (12.2.1.3.180904) for Oracle Access Management.

This document requires a base installation of Oracle Access Management 12c Patch Set 3 (12.2.1.3.0). This supersedes the documentation that accompanies Oracle Access Management 12c Patch Set 3 (12.2.1.3.0), it contains the following sections:

Understanding Bundle Patches
Bundle Patch Requirements
Applying the Bundle Patch
Removing the Bundle Patch
Resolved Issues
Known Issues and Workarounds

Understanding Bundle Patches

Describes Bundle Patches and explains differences between Bundle Patches, patch set exceptions (also known as one-offs), and patch sets.

Bundle Patch
Patch Set

Bundle Patch

A bundle patch is an official Oracle patch for Oracle Fusion Middleware components on baseline platforms. In a bundle patch release string, the fifth digit indicated the bundle patch number. Effective November 2015, the version numbering format has changed. The new format replaces the numeric fifth digit of the bundle version with a release date in the form "YYMMDD" where:

YY is the last 2 digits of the year
MM is the numeric month (2 digits)
DD is the numeric day of the month (2 digits)

Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes. All of the fixes in the bundle patch have been tested and are certified to work with one another.

Each Bundle Patch is cumulative: the latest Bundle Patch includes all fixes in earlier Bundle Patches for the same release and platform. Fixes delivered in Bundle Patches are rolled into the next release.

Patch Set

A patch set is a mechanism for delivering fully tested and integrated product fixes that can be applied to installed components of the same release. Patch sets include all of the fixes available in previous Bundle Patches for the release. A patch set can also include new functionality.

Each patch set includes the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). However, a patch set might not be a complete software distribution and might not include packages for every component on every platform.

All of the fixes in the patch set have been tested and are certified to work with one another on the specified platforms.

Bundle Patch Requirements

To remain in an Oracle-supported state, apply the Bundle Patch to all installed components for which packages are provided. Oracle recommends that you:

Apply the latest Bundle Patch to all installed components in the bundle.
Keep OAM Server components at the same (or higher) Bundle Patch level as installed WebGates of the same release.

Applying the Bundle Patch

The following topics helps you, as you prepare and install the Bundle Patch files (or as you remove a Bundle Patch should you need to revert to your original installation):

Using the Oracle Patch Mechansim (Opatch)
Applying the OAM Bundle Patch
Recovering From a Failed Bundle Patch Application

Note:

Oracle recommends that you always install the latest Bundle Patch.

Using the Oracle Patch Mechanism (Opatch)

The Oracle patch mechanism (Opatch) is a Java-based utility that runs on all supported operating systems. Opatch requires installation of the Oracle Universal Installer.

Note:

Oracle recommends that you have the latest version of Opatch (version 13.9.2.0.0+ or higher) from My Oracle Support. Opatch requires access to a valid Oracle Universal Installer (OUI) Inventory to apply patches.

Patching process uses both unzip and Opatch executables. After sourcing the ORACLE_HOME environment, Oracle recommends that you confirm that both of these exist before patching. Opatch is accessible at: $ORACLE_HOME/OPatch/opatch

When Opatch starts, it validates the patch to ensure there are no conflicts with the software already installed in your $ORACLE_HOME:

If you find conflicts with a patch already applied to the $ORACLE_HOME, stop the patch installation and contact Oracle Support Services.
If you find conflicts with a subset patch already applied to the $ORACLE_HOME, continue Bundle Patch application. The subset patch is automatically rolled back before installation of the new patch begins. The latest Bundle Patch contains all fixes from the previous Bundle Patch in $ORACLE_HOME.

This Bundle Patch is not -auto flag enabled. Without the -auto flag, no servers needs to be running. The Machine Name & Listen Address can be blank on a default install.

Applying the OAM Bundle Patch

Use information and steps here to apply the Bundle Patch from any platform using Oracle patch (Opatch). While individual command syntax might differ depending on your platform, the overall procedure is platform agnostic.

The files in each Bundle Patch are installed into the destination $ORACLE_HOME. This enables you to remove (roll back) the Bundle Patch even if you have deleted the original Bundle Patch files from the temporary directory you created.

Note:

Oracle recommends that you back up the $ORACLE_HOME using your preferred method before any patch operation. You can use any method (zip, cp -r, tar, and cpio) to compress the $ORACLE_HOME.

Formatting constraints in this document might force some sample text lines to wrap around. These line wraps should be ignored.

To apply the OAM Bundle Patch

Opatch is accessible at $ORACLE_HOME/OPatch/opatch. Before beginning the procedure to apply the Bundle Patch be sure to:

Set ORACLE_HOME

For example:
```
export ORACLE_HOME=/opt/oracle/mwhome
```
Run export PATH=<<Path of Opatch directory>>:$PATH to ensure that the Opatch executables appear in the system PATH. For example:
```
export PATH=$Oracle_HOME/OPatch:$PATH
```

Download the OAM patch p28595514_122130_Generic.zip
Unzip the patch zip file into the PATCH_TOP.

$ unzip -d PATCH_TOP p28595514_122130_Generic.zip

Note:

On Windows, the unzip command has a limitation of 256 characters in the path name. If you encounter this, use an alternate ZIP utility such as 7-Zip to unzip the patch.

For example: To unzip using 7-Zip, run the following command.

"c:\Program Files\7-Zip\7z.exe" x p28595514_122130_Generic.zip
Set your current directory to the directory where the patch is located.

$ cd PATCH_TOP/28595514
Log in as the same user who installed the base product and:
- Stop the AdminServer and all OAM Servers to which you will apply this Bundle Patch.
  
  Any application that uses this OAM Server and any OAM-protected servers will not be accessible during this period.
- Back up your $ORACLE_HOME: MW_HOME.
- Move the backup directory to another location and record this so you can locate it later, if needed.
Run the appropriate Opatch command as an administrator to ensure the required permissions are granted to update the central inventory and apply the patch to your $ORACLE_HOME. For example:
opatch apply
Windows 64-bit:opatch apply -jdk c:\path\to\jdk180

Note:
Opatch operates on one instance at a time. If you have multiple instances, you must repeat these steps for each instance.
Start all Servers (AdminServer and all OAM Servers).

Recovering From a Failed Bundle Patch Application

If the AdminServer does not start successfully, the Bundle Patch application has failed.

To recover from a failed Bundle Patch application

Confirm that there are no configuration issues with your patch application.
Confirm that you can start the AdminServer successfully.
Shut down the AdminServer and roll back the patch as described in Removing the Bundle Patch then perform patch application again.

Removing the Bundle Patch

If you want to rollback a Bundle Patch after it has been applied, perform the following steps. While individual command syntax might differ depending on your platform, the overall procedure is the same. After the Bundle Patch is removed, the system is restored to the state it was in immediately before patching.

Note:

Removing a Bundle Patch overrides any manual configuration changes that were made after applying the Bundle Patch. These changes must be re-applied manually after removing the patch.

Follow these instructions to remove the Bundle Patch on any system.

To remove a Bundle Patch on any system

Perform steps in Applying the OAM Bundle Patch to set environment variables, verify the inventory, and shut down any services running from the ORACLE_HOME or host machine.
Change to the directory where the patch was unzipped. For example:cd PATCH_TOP/28595514
Back up the ORACLE_HOME directory that includes the Bundle Patch and move the backup to another location so you can locate it later.
Run Opatch to roll back the patch. For example:
```
opatch rollback -id 28595514
```
Start the servers (AdminServer and all OAM Servers) based on the mode you are using.
Re-apply the Bundle Patch, if needed, as described in Applying the Bundle Patch.

Resolved Issues

This chapter describes resolved issues in this Bundle Patch.

This Bundle Patch provides the fixes described in the below section:

Resolved Issues in 12.2.1.3.180904
Resolved Issues in 12.2.1.3.180706
Resolved Issues in 12.2.1.3.180414
Resolved Issues in 12.2.1.3.171121

Resolved Issues in 12.2.1.3.180904

Base Bug Number	Description of the problem
28541209	OAM 12CPS3: DISPLAYING WRONG ERROR MESSAGE FOR LOCKED USERS
28296759	FORCE PASSWORD RESET NOT WORKING WITH BASIC METHOD AND FORM CACHETYPE
28244683	12C BP: MORE THAN 5 TIMES USING WRONG PWD NOT REDIRECT TO FORGOT PASSWORD
28204062	AUDITOR RELOAD DOESN'T HAPPEN IN OAM 12C WHILE CHANGING FILTER PRESET Note: This bug has a dependency on OPSS October Bundle Patch. Please apply OPSS Bundle Patch 12.2.1.3.181016:28172453along with OAM Bundle Patch BI Publisher in standalone mode i.e. with only BIPublisher option while configuring domain is recommended for viewing OAM Reports.
28202816	BP10 ON WEBGATE BREAKS LOGOUT FUNCITONALITY
28132498	EXCEPTION OCCUR WHEN REMOVEWEBGATETEMPLATEPARAMS WHITH NON-EXISTING TEMPLATE
28131039	12C: REMOVE COHERENCE CHECK FROM HEARTBEAT
27931928	AUTHORIZATION BROKEN IN APRIL OAM BP 11.1.2.3.180417 \|BP14
27918612	SAML ATTRIBUTE VALUE IS NULL WHEN ONE OF THE USER ATTRIBUTE VALUE IS NULL IN COM
27797404	IMPCONSENT.JSP PAGE IS DOWNLOADED WHEN ACCESSING THROUGH DCC WEBGATE
27614683	OAM INITIATED LOGOUT NOT WORKING & ORA_OSFS_SESSION IS NOT GETTNIG CLEARED
27573288	Fix for Bug 27573288 Note: This bug fix introduces changes to the following password policy features: Password expiry warning period— This feature is supported only with OAM and OIM integrated scenarios. If there is no OIM integration then OAM authentication will fail during the warning period and the customer has to configure custom authentication plugins to show password expiry warning page and the required handling for the authentication flow. The limitation on authentication failure during the password expiry warning period is because of the difference in behavior of different LDAP servers(OID, OUD) when a user tries to authenticate with wrong password during expiry warning period. Password grace login attempts - This configuration will work only if "Password expiry warning period " is not configured. In the first scenario, grace login is not required because user will be forced to change the password during the warning period or after expiry.
27525584	Fix for Bug 27525584
27444036	F5 HEALTH MONITOR GETTING 404 FOR /OAM/SERVER/HEARTBEAT
27417512	Fix for Bug 27417512
27314441	OAM LOGIN FAILS WITH OAMSSA-20144 IF THE USER IN OID WITHIN GRACE LOGINS
27189773	OIDC: ACCESS TOKEN STILL VALID WHEN REM_EXP<0
25417176	FEDERATION: AUTO PROVISION TO LDAP FROM IDP SAML ASSERTION FAILS
23133385	Fix for Bug 23133385

Resolved Issues in 12.2.1.3.180706

Base Bug Number	Description of the problem
28138969	ASDK ERROR FOR URL ENCODED TOKEN AFTER 28027669 FIX Note: OAM ASDK `—oamasdk-api.jar` is available in `$ORACLE_HOME/common/lib` directory, copy the same to the host where the application using ASDK is deployed.
28027669	ASDK API FIX FOR BUG:27161546
27931041	COMPATIBILITY FIX & OAM11.1.2.3.180417:SYS ERR FOR 10G WG FOR RSRC %26.HTML
27802941	STUCK THREADS DUE TO INCIDENT REPORTING IN FEDERATION
27781001	Fix for Bug 27781001
27732020	ADMINISTRATION REVOKED USER SHOULD NOT ACCESS APP DOMAIN BY REST OPERATION
27663475	Fix for Bug 27663475
27605692	TECHP: LDAP_SSL_PROTOCOL SETTING REMOVED AFTER UPDATING IDSTORE VIA OAMCONSOLE
27601504	OAUTH - NO CUSTOM ATTRIBUTES IN ACCESS TOKEN
27584074	IMPORTACCESSSTORE FAIL: MISMATCHED NO. OF ENTITIES BEFORE & AFTER TRANSFORMATION
27578580	CUSTOMWAR FILE NEEDS TO INCLUDE THE FORGOT PASSWORD PAGES
27528858	SESSION AUDIT:INCORRECT REQUEST TYPE DISPLAYED FOR GET, UPDATE & DELETE COMMANDS
27506785	INT STG PRIMRY: WEBGATE CONNECTIVITY ISSUES AFTER APPLYING BP13 PATCH
27492241	OAM: DISPLAYWEBGATE11AGENT WLST: DOES NOT DISPLAY LOGOUTURLS
27440104	OAM 12C: OAUTH: CANNOT CHANGE KEYATTRIBUTENAME VALUE
27355457	STRESS:12COAM:NULLPOINTEREXCEPTION IN OAUTH CREATEDOMAIN NEGATIVE STRESS TEST
27338937	DIAG LOG MESSAGES TRACING LOGOUT WORKFLOW
27287517	UPDATING GETOTP.JSP IN OAM-SERVER.EAR TO WORK IN DCC TUNNELLING CASE
27255144	FIX OAMCUSTOMPAGES IN 12C
27203475	OIDC:SPACE CHAR SHOULD BE NOT ALLOWED TO USE FOR RESERVER NAME
27149541	NOTIFICATIONS 'DIAGNOSTICCOOKIECONFIG' AFTER UPGRADING OAM 11.1.2.2 TO 11.1.2.3
27072426	UNABLE TO VIEW ALL IPS IN AUTHORIZATION POLICY IN APPLICATIO DOMAIN OAM CONSOLE
27050584	HOW TO MAKE IDP DN MAPPINGS CASE INSENSITIVE WITH 11.1.2.3 FEDERATION Note: To enable Case insensitive feature for DNIDPMapping , run the following wlst command: `putBooleanProperty("/dnidpmapping/caseinsensitive", "true");`
27028826	TECHPLAT: OAM 12.2.1.3 FAILS TO CONNECT TO LDAPS
26912813	"AGENT TYPE" IS NULL IN OAM ADMIN CONSOLE IF WEB BROWSER LANGUAGE IS JAPANESE
26864424	"ALLOW OAUTH TOKEN" AND "ALLOW SESSION IMPERSONATION" SHOULD BE REMOVED FROM OAM
26844537	EDITWEBGATE11GAGENT UPDATE CAUSES ERRORS WHEN ACCESS WG AGENT FROM CONSOLE
26843227	THERE IS A BROKEN LINK FOR "CREATE X509 AUTHENTICATION MODULE"
26784192	USING IDENTITY CONTEXT IN AUTH PLUGIN OAM Note: In order to access ResourceID and AgentAppDomain from authentication context in a custom authn plugin, use: `authenticationContext.getStringAttribute("ResourceId")` and `authenticationContext.getStringAttribute("AgentAppDomain")` Format of the expected parameters: `ResourceID contains <resourceType>::<HostIdentifier>::<resourceURL>` `AgentAppDomain contains APP:<AppDomain>\|AGENT:<AgentType>:<WebgateID>` For Example, ResourceID = HTTP::RREG_HostId11G::/hostid/**:: AgentAppDomain = APP:NewAgent\|AGENT:0:TWG_49
26630561	DIAG: NEED DETAILED DEBUG OUTPUT FOR TOTPPLUGIN
26540242	OAM 11.1.2.3 AUTHENTICATION FAILURE CODE NOT AUDITED
26535030	ADD RESILIENCY CHECK FOR POLICY CACHE IN OAM CLUSTERS
25900160	OAM_RES NEEDS TO BE CONFIGURABLE IN PS3 TO BEHAVE LIKE PS2 Note: The following sample configuration segment is introduced in the oam-config.xml when the WLST command displayAuthZCallBackKey() is executed: `Xpath : "/DeployedComponent/Server/NGAMServer/Profile". <Setting Name="AuthZCallBack" Type="htf.map"> <Setting Name="AuthZHashKey" Type="xsd:string">1E8461DFA32AD746AF28BAAAA9F327327941C14CAC216DCFA9AC17985E097A0DD603EC1DF5C6D9F5C904ED44952A5D5F</Setting> <Setting Name="AuthZCallBackEnabled" Type="xsd:boolean">true</Setting> </Setting>` If `AuthZCallBackEnabled` is set to `false`, then both `oam_res` and `oam_res_hash` are not populated. Only redirection occurs to configured AuthZ Success URL. If `AuthZCallBackEnabled` is set to`true` then both `oam_res` and `oam_res_hash` are populated with its values after redirection occurs to configured AuthZ Success URL.

Resolved Issues in 12.2.1.3.180414

Base Bug Number	Description of the problem
27605234	OAM12C: ADMIN REST API AUTHNPOLICY IS FAILING WITH REQUEST FAILED
27371324	MAKE PASSWORDMANAGEMENTMODULE AS THE DEFAULT MODULE FOR OAM FRESH INSTALL Note: In case of patched environment for BP02, the `PasswordPolicyValidationScheme` will use the original Password policy validation module. Customers who wish to use Multiple Password Policy feature, Forgot Password using OTP and Changing User Status using REST API has to manually change the module that `PasswordPolicyValidationScheme` is using to `PasswordPolicyManagementModule.`
27314613	OIF : IDP INITIATED FLOW WITH USER PROVISIONING PLUG-IN ENABLED DISPLAYS SYSTEM
27206989	ABILITY TO UPDATE CONFIGURATION USING REST
27205555	LOGOUT DONEURL WITH ISALLOWSCHEMERELATIVEURLS SET PERMIT NON-WHITELISTED URL Note: To enable/disable scheme relative url , add `isAllowSchemeRelativeURLS` boolean attribute to `oam-config.xml` file, and set the value to true/false respectively. Example: `<Setting Name="EndURLWhiteList" Type="htf:map"> <Setting Name="isAllowSchemeRelativeURLS" Type="xsd:boolean">true</Setting> <Setting Name="enableWhiteListValidation" Type="xsd:boolean">true</Setting> <Setting Name="WhiteListURLs" Type="htf:map"> </Setting> </Setting>`
27202829	NOTIFICATION MESSAGES "OAM-CONFIG.XML AS :EXTER" CONSTANTLY LOGGING IN OAM LOGS
27161546	Fix for Bug 27161546 Refer to technical note Doc ID 2386496.1 available on My Oracle Support. You can access My Oracle Support at https://support.oracle.com. Note: By default, the fix for this bug is disabled. The fix can be enabled by adding `globalHMACEnabled` as `true`. If the flag is not present or is present with value `false`, then the fix is disabled. Before enabling the fix, it is to be ensured that all webgates are patched with complementary fix (Bug: 27258588, 27355601, and 27568356). For patching webgate, follow webgate patching process. Path: `NGAMConfiguration>DeployedComponent>Server>NGAMServer>Profile>oamproxy` Caution: If all the webgates are not patched and the flag is enabled, then all those webgates which are not patched will not work. Following is the process to introduce/update the flag value: Create a `config.properties` file with the following content: `oam.entityStore.schemaUser=[OAM Schema Name] oam.entityStore.ConnectString=jdbc:oracle:thin:@[Database Host]:[DB Port]:[Service_ID] oam.entityStore.schemaPassword=[Schema Password] oam.importExportDirPath=[Directory where oam-config.xml will be exported/(imported from)] oam.frontending=params=host;port;protocol` Note: Put `oam.frontending` line as is for the command to work in above config file. Export the entire `oam-config.xml` using the following command: `bash-4.1$ cd [Middleware_Home] bash-4.1$ [JDK/JRE_Home]/bin/java -cp ./idm/oam/server/tools/config-utility/config-utility.jar:./oracle_common/modules/oracle.jdbc/ojdbc8.jar oracle.security.am.migrate.main.ConfigCommand [OAM_Domain_Home] export[Path]/config.properties` Note: `config.properties` is the file created in step 1. `oam-config.xml` will be exported to path [oam.importExportDirPath] Line breaks in above command are only for demonstration purposes. Now change the value of field `globalHmacEnabled` to `true/false` Import the updated `oam-config.xml` using the same command used in step:2 , just change `export` to `import`.
27361854	Fix for bug 27361854 Note: This bug is dependent on bug 27161546. Along with this, complementary fix on webgate side is covered by bug 27355601.
27853736	DCC RELOGIN FLOW AFTER IDLE TIME OUT DISPLAY SYSTEM ERROR PAGE Note: This bug is dependent on bug 27361854.
27132341	INT STG PRIMARY OAM - UNABLE TO LOGIN TO NEW AGENTS AFTER OCT17 BP
27095174	OPENIDCONNECT SUPPORT FOR OAM SERVER
27084858	PSFE ENHANCEMENT TO RUN FOR BUNDLE PATCH UPDATES
27068410	DISABLE PLAINTEXT OBRAREQ/OBRAR FRONT CHANNEL
26914133	POST DATA PRESERVATION DOES NOT WORK WHEN POST DATA IS LARGER THAN 1200 BYTES
26901175	PASSWORDOLICYREST:: DELETING ALL PASSWORD POLICIES SHOWS INCORRECT MESSAGE
26862217	POLICY SYNC TO MANAGED SERVERS IS VERY SLOW WHEN APPDOMAIN HAS LOT OF RESOURCES
26479576	SAML-PROTECTED APPLICATION USING FRAMES IS BROKEN BY RETURN OF CLICKJACKINGSCRIP Note: This fix validates the correct url i.e. the next redirect url against WhiteListURLs in federation flow. After applying the patch and before starting OAM nodes. Add the following setting to`oam-config.xml` file under `<Setting Name="EndURLWhiteList" Type="htf:map">` with the REQUEST_URL_KEY that you want to use against WhiteListURLs check. `<Setting Name="FedActionUrlKey" Type="xsd:string"><REQUEST_URL_KEY></Setting>` Example: `<Setting Name="EndURLWhiteList" Type="htf:map"> <Setting Name="FedActionUrlKey" Type="xsd:string">oracle.security.fed.post.actionurl</Setting> </Setting>`
26286819	STRESS:12C OAM- DEADLOCK DETECTED IN OAM DB DURING STRESS TEST
25867806	ENT INT STG DR-TR - PATCH REQUIRED FOR DELETION OF OSSO AND FEDERATION PARTNERS
25369080	DI BASED ON BUG 23745818 : LOGS TO INDICATE FED DEFAULT AUTHN SCHEME ID
25170276	PARAMETER "EMAILMSGFROMNAME" BEING IGNORED IN OTP E-MAILS
24357957	OAM WHITELIST SHOULD HAVE CONFIG TO ENABLE/DISABLE HOSTID CHECKS Note: Enable/Disable the HostId validation mode using WLST command: `oamSetHostIdValidationMode`(default is true).
23185976	VALIDATE WEBGATEID WHEN RUNNING WLST : UPDATEWEBGATETEMPLATETOWEBGATEMAPPING

Resolved Issues in 12.2.1.3.171121

Table 1-1 Resolved Issues in Release 12.2.1.3.171121

Base Bug Number	Description of the Problem
27077697	FORGOT PASSWORD FUCNTIONALITY USING ONETIMEPIN IN OAM
26821988	OAM : IFRAMEBURSTOUT IN BOTH OAMWHITELISTMODE TRUE AND FALSE
26743138	SKIP_AUTHN_RULE_EVAL SHOULD BE ENABLED BY DEFAULT
26732813	SESSION REST GET/SEARCH RESULT DOES NOT CONTAIN THE EXPIRYTIME ATTRIBUTE
26679791	FIX FOR BUG 25898731 IS FAILING IN OAM 11.1.2.3.171017BP 26540179
26672990	IMPERSONATION SESSION IS ALWAYS CREATED WITH LEVEL 2 Note: To update the default auth level for impersonation, a new entry `MaxAuthlevel` is introduced in oam-config.xml under `ImpersonationConfig`. Example: `<Setting Name="MaxAuthLevel" Type="xsd:string">4</Setting>` Pre-Requisite: Update authentication level of `/oamImpersonationConsent` under IAMSuite domain to match the `MaxAuthLevel.`
26671436	NULL POINTER EXCEPTION IS THROWN WHILE ENABLING SSL FROM OAMCONSOLE
26610754	ER 20773096: ADD ONE NEW WLS CMD FOR WEBGATETEMPLATE REMOVAL
26443261	STEP NUMBER NOT INCREMENTING IN OAM CUSTOM PLUGIN
26429287	ADD WLST FOR SKIP_AUTHN_RULE_EVAL CONFIG PARAMETER
26420974	DETERMINE WHETHER AGENT IS DCC WEBGATE
26375044	AUTHENTICATION FAILING FOR USER-AGENT MATCHING PRE-AUTHN RULE Note: This bug has a dependency on Webgate bug 26389702.
26335555	TOTPLUGIN - CAN ACCESS THE APPLICATION WITH AN EXPIRED TOKEN
26226156	OIF: FEDUSERPROVISIONING PLUGIN CREATING ADDITIONAL ENTRIES FOR UID
26199993	NO SOUND/VIBRATE FROM THE PUSH NOTIFICATION ON THE PHONE SIDE
26180201	GLOBAL LOGOUT FAILS AT OAM AS SP WHEN END_URL CONTAINS QUERY PARAMS
26170087	USER GETTING OAM-7 ERROR WHEN ACCESSING SAML (FED) APP INSIDE OF IFRAME (EVEN WHEN WHITELISTED)
26161468	REDIRECT LOGOUT URL WITH WHITE LIST ENABLED PERMIT REDIRECT ON NON LISTED SITE
26147809	IN FORCE PASSWORD ONLY BROWSER LEVEL VALIDATION IS WORKING
26143230	PRE-AUTHN RULE NOT EVALUATED WHEN SWITCHING FROM DCC SCHEMA
26114972	OAM LOGOUT URL NOT BEHAVING AS EXPECTED
25961607	CONFIGUREPOLICYRESPONSES NOT WORKING FOR PASSWORD POLICY DATE STRING AT 11.1.2.3
25709831	CHANGEPASSWORD AFTER PASSWORD EXPIRY:OAM IS NOT RETURNING THE REASON/ERROR CODE
25534524	LOOP ON SYSTEMERROR WHEN USER SITS FOR OVER 15 MINUTES ON BOOKMARKURL LOGIN PAGE
25485089	DIAG: OPENID ASSOCIATION FAILED FOR RESPONSEHANDLEREXCEPTION
25315550	ADVANCED RULES NOT WORKING IN CLONED ENVIRONMENT AFTER BEING IMPORTED
24817439	SAML ASSERTION HAS INCORRECT DATA FORMAT FOR NAMEID-FORMAT:ENTITY Note: This feature is added to either disable sending Format attribute on Issuer or set it to Unspecified or entity value. This can be set at partner, profile or global level. After applying the fix, following WLST command needs to be executed: `domainRuntime()` `updatePartnerProperty(“<IDP-partner-name>”,"idp", "sendsamlissuerformat", "false", "boolean")` Example: updatePartnerProperty("lcr01103-idp", "idp", "sendsamlissuerformat", "false", "boolean")
24746284	IDENTITY CONTEXT CLARIFICATION ON PUBLISHED ATTRIBUTES FORMAT Note: To use the new format for custom attributes, before starting the OAM Managed Server, set the system property `oracle.oam.saml.assertion.customattrformat=SAML2.0` using the following command, `export JAVA_OPTIONS="-Doracle.oam.saml.assertion.customattrformat=SAML2.0"`.
22494562	OAM FEDSTS-11013 ERROR: ORA-00001: UNIQUE CONSTRAINT VIOLATED

Known Issues and Workarounds

Known issues and their workarounds in Oracle Access Management Release 12.2.1.3 are described in the Oracle Access Management chapter of the Release Notes for Oracle Identity Management document. You can access the Release Notes document in the Oracle Identity Management Documentation library at the following URL:

https://docs.oracle.com/middleware/12213/idmsuite/IDMRN/toc.htm

Note:

Some known issues listed in the Release Notes for Oracle Identity Management may have been resolved by this Bundle Patch (Oracle Access Management 12.2.1.3.0). Compare the issues listed in Resolved Issues of this document when reviewing the Release Notes for Oracle Identity Management.

Bundle Patch Number	Base Bug Number	Bug Number	Description of the Problem
12.2.1.3.180414	27068410	27606513	`disable10gPlainTextReqRes`parameter is case sensitive Workaround is to use `disable10gPlainTextReqRes`parameter as it is. Do not change the case.
	27068410	27606466	The functionality does not work when Agent and Preferred Host are different for the registered 10g Webgate Agent Profiles. Workaround is that the Agent Name and Preferred Host has to be same for the registered 10g Webgate Agent Profiles.
	27068410	27626433	Functionality does not work when bulk updates are done for updating the `userdefinedparam` of 10g agent profiles. Workaround is to update the `userdefinedparam` of all the 10g agent profiles manually using the oamconsole.
	27582324		POST data restoration will not work with `ChallengeRedirectMethod=GET` Workaround is to set, `ChallengeRedirectMethod=post` in the Authentication scheme.
12.2.1.3.171121	27292760		There are cases when `AdaptiveAuthenticationPlugin` does not contain the required fields to enable the OTP. The Workaround is to add the required fields to update the properties in `oam-config.xml` by adding them to the `ConfigParams` section of the `OAMMFAOTP` definition.

Oracle Access Management Bundle Patch Release Notes, Bundle Patch 12c (12.2.1.3.180904) Generic for all Server Platforms

E99723-01

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.