3 Oracle Access Management

Known issues and workarounds for Oracle Access Management include general issues and configuration issues.


See What's New in Oracle Access Management for information about new features in this release of Oracle Access Management.

Bundle Patch for Oracle Access Management Server and Webgate 12 c ( release is available. For more information see,

3.1 Access Management Known Issues and Workarounds

This topic describes known issues and workaround for Oracle Access Management. It includes the following topics:

3.1.1 Takes time to propagate a policy or any metadata change


Set the password policy option to "Disallow previous passwords" and create a new password using the previously used password. The password can still be created.


When you perform any change to the policy, it takes time to propagate across the OAM cluster. You should wait for a minimum of 60 seconds or more if the network is slow for the changes to take effect. It is recommended that the changes be made when the OAM servers are offline

3.1.2 User name field in SME UI is case sensitive


OAM console based session management search is case sensitive.

3.1.3 Unused References in OAM console


Following are the references in OAM console that are unused:

  • Access Portal

  • OAuth Service

  • Allow OAuth Token

  • Token Issuance Policies

  • Access Portal Service Settings

3.1.4 Deprecated Java Policy

For Upgrade Customers, refer java policy. See TLS1.2 Support in Oracle Access Management

3.1.5 Test-to-Production Not Supported in OAM


OAM does not support Test-to-Production (T2P) tools in this release.


To create one or more cloned data centers follow the steps in the procedure, Adding an Additional Clone Data Center to the Existing Multi-Data Center Setup.

3.1.6 chghost Tool does not Work with OAM


OAM does not support chghost tool in this release.


The host:port for primary and secondary servers can be configured using the UI parameters on OAM console.

See Configuring and Managing Registered OAM Agents Using the Console

The webgate profiles and policies on OAM server use the import/export partners or Bulk updates for Webgates.

For webgates, you can do either of the following when host and port information is changed:


ObAccessClient.xml can be found at webgate_Instance _Dir (${Oracle_Home}/user_projects/domains/$(DOMAIN_HOME)/config/fmwconfig/components/OHS/ohs1/webgate/config/ObAccessClient.xml)

3.1.7 Exception occurs while using OAM Access Tester Tool


In OAM Access Tester tool, after entering sever connection details and clicking on Connect button, the connection will be established but with the following exception.

In Access Tester Console:

SEVERE: Server reported that incorrect NAP version is being used, while client attempted to communicate using NAP version 5. See server log for more information.

Stack trace in Server Logs:

<Error> <oracle.oam.proxy.oam> <OAM-04020> <Exception encountered while processing the request message for agent {0} at IP {1} Request message {2} :oracle.security.am.proxy.oam.requesthandler.OAMProxyException: Partner: TestWebgate is registered with version Runtime version of agent is different: 11.* .Agent will not be able to communicate with the server   
at oracle.security.am.proxy.oam.requesthandler.ObAAAServiceServer.getClientAuthentInfo(ObAAAServiceServer.java:159)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.ObAuthenReqChallengeHandler(RequestHandler.java:566)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleRequest(RequestHandler.java:229)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleMessage(RequestHandler.java:180)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean.getResponseMessage(ControllerMessageBean.java:94)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.MessageDrivenLocalObject.invoke(MessageDrivenLocalObject.java:127)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.getResponseMessage(Unknown Source)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.getResponse(ObClientToProxyHandler.java:316)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.messageReceived(ObClientToProxyHandler.java:270)
at org.apache.mina.common.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:743)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.IoFilterEvent.fire(IoFilterEvent.java:54)
at org.apache.mina.common.IoEvent.run(IoEvent.java:62)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:85)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:209)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)


The above exception will be seen while using Access Tester. Access Tester will try to connect with NAP version 5, then with NAP version 4 and followed by NAP version 3 if the former does not work. But, there is no impact on the functionality.

3.2 Access Management Configuration Issues and Workarounds

This topic describes Configuration issues and workaround for Oracle Access Management. It includes the following topic:

3.2.1 Audit Integration with BI Publisher


BI Publisher is not supported in 12cPS3. Due to which, post upgrade some reports might not work.

BI Publisher will be available post PS3.

3.3 Access Management Console Issues

This topic describes Console issues and workaround for Oracle Access Management (Access Manager). It includes the following topic:

3.3.1 OOB OAM console logout does not work


Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, OAM console can be protected using a webgate agent.


Close OAM console instead of logout.

Server side session will not be created when OAM console accesses OOB. As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.

3.4 Features Not Supported in Access Manager

The following table lists the features that will be unsupported from OAM and provides the migration path:

Unsupported Features in OAM Description Migration Path

10g OSSO server co-existence

OAM 12c server does not support co-existence with the OSSO servers

Upgrade from OSSO to OAM 11g R2PS3 and then upgrade to OAM 12c.

OpenSSO server co-existence

OAM 12c server does not support co-existence with the OpenSSO server.

Upgrade to OAM 11gR2PS3 and then upgrade to OAM 12c.

OAM 10g server co-existence

OAM 12c server does not support co-existence with OAM 10g server.

Migrate to OAM 12c server.

OpenSSO agents

OpenSSO agents are not supported in the OAM 12c release.

Migrate to supported 12c agents.

OAM 11g and 12c WebGates and Accessgates are supported in OAM


OAM 12c does not support mod OSSO (OSSO Agent Proxy) agents.

Migrate to 12c WebGate agents and upgrade to OAM 12c.

OAM10g WebGate

OAM 12c server does not support OAM 10 WebGates.

Migrate to OAM11g R2PS3 or OAM 12c WebGates

Upgrade the server to OAM 12c.


OAM 12c does not support the following commands and attributes:

  • prepareIDStore= FUSION

  • prepareIDStore= OAAM

  • configPolicyStore

  • configOVD

  • disableOVDAccessConfig

  • postProvConfig

  • validate: All options are not supported

  • ovdConfigUpgrade

  • upgradeOIMTo11gWebgate





OAM 12c does not support IAMSuiteAgent.

Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, this is done using default OOB Login page.

As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.


Oracle Mobile Security Suite (OMSS)

OAM 12c does not support OMSS.


In 12c, for mobile and social login usecases, we recommend customers to use standard OAuth. We are deprecating proprietary way of achieving these use cases so that the customers can move to a more standards-based approach that would allow better interoperability and facilitate an easier transition to Oracle Identity Cloud Service (IDCS) in the future. The following services are deprecated in 12c:

  • Mobile and Social Services

  • Mobile OAuth Service

  • Security Token Service

  • Access Portal Service