Oracle® Fusion Middleware

Oracle Identity Governance Bundle Patch Readme

12c (12.2.1.3.1)

E96127-02

October 2018

This document is intended for users of Oracle Identity Management 12c (12.2.1.3.180109). It contains the following sections:

Understanding Bundle Patches

This section describes bundle patches and explains differences between bundle patches, patch set exceptions (also known as one-offs), and patch sets.

Bundle Patch

A bundle patch is an official Oracle patch for an Oracle product. In a bundle patch release string, the fifth digit indicated the bundle patch number. Effective November 2015, the version numbering format has changed. The new format replaces the numeric fifth digit of the bundle version with a release date in the form "YYMMDD" where:

  • YY is the last 2 digits of the year

  • MM is the numeric month (2 digits)

  • DD is the numeric day of the month (2 digits)

Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes. All of the fixes in the bundle patch have been tested and are certified to work with one another. Regression testing has also been performed to ensure backward compatibility with all Oracle Mobile Security Suite components in the bundle patch.

Patch Set Exception

In contrast to a bundle patch, a patch set exception addressed only one issue for a single component. Although each patch set exception was an official Oracle patch, it was not a complete product distribution and did not include packages for every component. A patch set exception included only the libraries and files that had been rebuilt to implement a specific fix for a specific component.

Patch Set

A patch set is a mechanism for delivering fully tested and integrated product fixes. A patch set can include new functionality. Each patch set includes the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). However, a patch set might not be a complete software distribution and might not include packages for every component on every platform. All of the fixes in a patch set are tested and certified to work with one another on the specified platforms.

Bundle Patch Requirements

You must satisfy the following requirements before applying this bundle patch:

  • Confirm you are applying this bundle patch to an Oracle Identity Governance 12.2.1.3.0 installation.

    Note:

    When installing OPatch, you might find that interim or one off patches have already been installed.

  • Download the latest version of OPatch. The OPatch version for this bundle patch is 12.2.1.3.0. However, Oracle recommends using the latest version of OPatch to all customers. To learn more about OPatch and how to download the latest version, refer to the following:

    You can access My Oracle Support at https://support.oracle.com.

  • Verify the OUI Inventory. To apply patches, OPatch requires access to a valid OUI Inventory. To verify the OUI Inventory, ensure that ORACLE_HOME/OPatch appears in your PATH for example:

    export PATH=ORACLE_HOME/OPatch:$PATH

    Then run the following command in OPatch inventory

    opatch lsinventory

    If the command returns an error or you cannot verify the OUI Inventory, contact Oracle Support. You must confirm the OUI Inventory is valid before applying this bundle patch.

  • Confirm the opatch and unzip executables exist and appear in your system PATH, as both are needed to apply this bundle patch. Execute the following commands:

    which opatch
which unzip

    Both executables must appear in the PATH before applying this bundle patch.

  • Ensure that there are no pending JMS messages in Oracle Identity Governance server. You can monitor JMS messages with WebLogic console.

Prerequisites of Applying the Bundle Patch

Before applying the bundle patch, perform the following prerequisites:

  • This patch process makes changes to Oracle Identity Governance database schema (such as adding/modifying data), Oracle Identity Governance Meta Data Store (MDS) database schema (such as adding/modifying data), domain configuration changes, and other binary changes in the file system under ORACLE_HOME on which Oracle Identity Governance is installed. It is mandatory to create a backup of the following:

    • Oracle Identity Governance, MDS, and Service-Oriented Architecture (SOA) database schemas. For example, the database schema can be DEV_OIM, DEV_MDS schemas used by Oracle Identity Governance. Simple export of the schemas is sufficient.

    • The ORACLE_HOME directory on which Oracle Identity Governance is installed, for example, /u01/Oracle/Middleware.

    • Oracle Identity Governance WebLogic Domain location, for example, /u01/Oracle/Middleware/user_projects/domains/IAMGovernanceDomain/.

    • The UNIX user applying opatch must have read, write, and execute permissions on both ORACLE_HOME as well as WEBLOGIC_DOMAIN_HOME. You can verify this manually in the file system for DOMAIN_HOME and ORACLE_HOME.

  • If you have customized the event handler file metadata/iam-features-configservice/event-definition/EventHandlers.xml in your setup, then perform the following steps to ensure that the upgrade does not override any customization done to this file:

    1. Export the metadata/iam-features-configservice/event-definition/EventHandlers.xml file from MDS, and create a backup of this file.

    2. After upgrading and running all the post install steps, export the new metadata/iam-features-configservice/event-definition/EventHandlers.xml file, merge your customization to this new file, and import it back to MDS.

    Note:

    For more information on MDS Utilities, see MDS Utilities and User Modifiable Metadata Files.

Applying the Bundle Patch to an Existing Instance

Applying Oracle Identity Manager Release 12.2.1.3.180109 patch is done in the following stages:

Note:

Before performing the steps to apply the bundle patch, create a backup of the database, as stated in Prerequisites of Applying the Bundle Patch which will help you rollback to the previous release.

Stage 1: Patching the Oracle Binaries (OPatch Stage)

This section describes the process of applying the binary changes by copying files to the ORACLE_HOME directory, on which Oracle Identity Manager is installed. This step must be executed for each OIM_ORACLE_HOME in the installation topology nodes irrespective of whether Oracle Identity Manager server is being run in the node or not.

Perform the following steps to apply the bundle patch to an existing Oracle Identity Manager instance:

  1. Stop the Admin Server, all Oracle Identity Manager managed servers, and all SOA managed servers.
  2. Create a directory for storing the unzipped bundle patch. This document refers to this directory as PATCH_TOP.
  3. Unzip the patch zip file in to the PATCH_TOP directory you created in step 2 by using the following command:
    unzip -d PATCH_TOP p27363471_122130_Generic.zip

    Note:

    On Windows, the unzip command has a limitation of 256 characters in the path name. If you encounter this issue, use an alternate ZIP utility, for example 7-Zip to unzip the zip file.

    Run the below command to unzip the file:

    "c:\Program Files\7-Zip\7z.exe" x p27363471_122130_Generic.zip
  4. Move to the directory where the patch is located. For example:
    cd PATCH_TOP/27363471
  5. Set the ORACLE_HOME directory in your system. For example:
    setenv ORACLE_HOME /opt/oracle/mwhome
  6. Apply the bundle patch to the ORACLE_HOME using the following command for Oracle Identity Manager:
    opatch apply

    Note:

    • Ensure the OPatch executables appear in your system PATH.

    • If OPatch fails with error code 104, cannot find a valid oraInst.loc file to locate Central Inventory, include the -invPtrLoc argument, as follows:

      opatch apply -invPtrLoc ORACLE_HOME/oraInst.loc

    When OPatch starts, it will validate the patch and ensure there are no conflicts with the software already installed in the ORACLE_HOME. OPatch categorizes two types of conflicts:

    • Conflicts with a patch already applied to the ORACLE_HOME. In this case, stop the patch installation and contact Oracle Support.

    • Conflicts with subset patch already applied to the ORACLE_HOME. In this case, continue the install, as the new patch contains all the fixes from the existing patch in the ORACLE_HOME. The subset patch will automatically be rolled back prior to the installation of the new patch.

      Note:

      • For clustered and multi-node installation of Oracle Identity Manager, this step must be run on all the OIM_ORACLE_HOME directories on which Oracle Identity Manager is installed.

      • If you are creating a new environment, then it is recommended that this step is performed before creating or extending the domain with Oracle Identity Manager.

Stage 2: Filling in the patch_oim_wls.profile File

Move to the OIM_ORACLE_HOME/server/bin/ directory, and enter the details provided in the patch_oim_wls.profile file. The patch_oim_wls.profile file contains the sample values.

Table 1-1 lists the information to be entered for the patch_oim_wls.profile file. This file is used in next stage of the bundle patch process.

Table 1-1 Parameters of the patch_oim_wls.profile File

Parameter Description Sample Value

ant_home

Location of the ANT installation. It is usually under MW_HOME.

For UNIX: MW_HOME/modules/org.apache.ant_1.7.1

For Windows: C:\Oracle\MW_HOME\modules\org.apache.ant_1.7.1

java_home

Location of the JDK/JRE installation that is being used to run the Oracle Identity Manager domain.

For UNIX: MW_HOME/jrockit

For Windows: C:\oracle\Java\jdk1.7.0_80

mw_home

Location of the middleware home location on which Oracle Identity Manager is installed.

For UNIX: /opt/oracle/MW_HOME/

For Windows: C:\Oracle\MW_HOME\

oim_oracle_home

Location of the Oracle Identity Manager installation.

For UNIX: MW_HOME/Oracle_IDM1/

For Windows: C:\Oracle\MW_HOME\Oracle_IAM1

oim_username

Oracle Identity Manager username.

System administrator username

oim_password

Oracle Identity Manager password. This is optional. If this is commented out, then you will be prompted for the password when the script is executed.

N/A

oim_serverurl

URL to navigate to Oracle Identity Manager.

t3://myhost.mycompany.com:14000

soa_home

Location of the SOA installation.

For UNIX: MW_HOME/Oracle_SOA1

For Windows: C:\Oracle\MW_HOME\Oracle_SOA1

weblogic.server.dir

Directory on which WebLogic server is installed.

For UNIX: MW_HOME/wlserver

For Windows: C:\Oracle\MW_HOME\ wlserver

weblogic_user

Domain administrator user name. Normally it is weblogic, but could be different as well.

weblogic

weblogic_password

Domain admin user's password. If this line is commented out, then password will be prompted.

N/A

soa_host

Listen address of the SOA Managed Server, or the hostname on which the SOA Managed Server is listening.

Note: If the SOA Managed Server is configured to use a virtual IP address, then the virtual host name must be supplied.

admin.mycompany.com

soa_port

Listen port of the SOA Managed Server, or SOA Managed Server port number.

8001

Only Non-SSL Listen port must be provided.

operationsDB.user

Oracle Identity Manager database schema user.

DEV_OIM

OIM.DBPassword

Oracle Identity Manager database schema password. If this line is commented out, then the password will be prompted when the script is executed.

N/A

operationsDB.host

Host name of the Oracle Identity Manager database.

oimdbhost.mycompany.com

operationsDB.serviceName

Database service name of the Oracle Identity Manager schema/database. This is not the hostname and it can be a different value as well.

oimdb.mycompany.com

operationsDB.port

Database listener port number for the Oracle Identity Manager database.

1521

mdsDB.user

MDS schema user

DEV_MDS

mdsDB.password

MDS schema password. If this line is commented out, then password will be prompted.

N/A

mdsDB.host

MDS database host name

oimdbhost.mycompany.com

mdsDB.port

MDS database/Listen port

1521

mdsDB.serviceName

MDS database service name

oimdb.mycompany.com

wls_serverurl

URL to navigate to WLS Console

t3://wlshost.mycompany.com:7001

Note:

Updated the parameter value as per the setup used and then execute the patch_oim_wls.sh file.

Stage 3: Patching the Oracle Identity Manager Managed Servers (patch_oim_wls Stage)

Patching the Oracle Identity Governance managed servers is the process of copying the staged files in the previous steps (stage 1) to the correct locations, and running SQL scripts and importing event handlers and deploying SOA composite. For making MBean calls, the script automatically starts the Oracle Identity Governance Managed Server and SOA Managed Server specified in the patch_oim_wls.profile file.

This step is performed by running patch_oim_wls.sh (on UNIX) and patch_oim_wls.bat (on Microsoft Windows) script by using the inputs provided in the patch_oim_wls.profile file. As prerequisites, the WebLogic Admin Server, SOA Managed Servers, and Oracle Identity Governance Managed Server must be running.

To patch Oracle Identity Manager Managed Servers on WebLogic:

  1. Make sure that the WebLogic Admin Server, SOA Managed Servers, and Oracle Identity Manager Managed Server are running.
  2. Set the following environment variables:

    For LINUX or Solaris:

    setenv PATH $JAVA_HOME/bin:$PATH

    For Microsoft Windows:

    set JAVA_HOME=VALUE_OF_JAVA_HOME
set ANT_HOME=\PATH_TO_ANT_DIRECTORY\ant
set OIM_ORACLE_HOME=\MW_HOME\Oracle_IDM1

    Note:

    Make sure to set the reference to JDK binaries in your PATH before running the patch_oim_wls.sh (on UNIX) or patch_oim_wls.bat (on Microsoft Windows) script. This JAVA_HOME must be of the same version that is being used to run the WebLogic servers. The JAVA_HOME version from /usr/bin/ or the default is usually old and must be avoided. You can verify the version by running the following command:

    java -version
  3. Execute patch_oim_wls.sh (on UNIX) or patch_oim_wls.bat (on Microsoft Windows) to apply the configuration changes to the Oracle Identity Manager server. On Linux systems, you must run the script in a shell environment using the following command:
    sh patch_oim_wls.sh

    Note:

    Make sure that Oracle Identity Manager is up and running when you run patch_oim_wls.sh or patch_oim_wls.bat.
  4. Delete the following directory in domain home:
    IDM_DOMAIN/servers/OIM_SERVER_NAME/tmp/_WL_user/oracle.iam.console.identity.self-service.ear_V2.0
  5. To verify that the patch_oim_wls script has completed successfully, check the OIM_HOME/server/bin/patch_oim_wls.log log file.

    Note:

    • On running the patch_oim_wls script, the $DOMAIN_HOME/servers/MANAGED_SERVER/security/boot.properties file might be deleted. If you use a script to start the Managed Server and use the boot.properties file to eliminate the need of entering the password in the script, then create a new boot.properties file.

    • Ignore the following exception traces in the patch_oim_wls.log file:

    [java] Aug 11, 2015 3:45:28 AM oracle.jdbc.driver.OracleDriver registerMBeans
     [java] WARNING: Error while registering Oracle JDBC Diagnosability MBean.
     [java] java.security.AccessControlException: access denied (javax.management.MBeanTrustPermission register)
     [java] at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
  6. Stop and start WebLogic Admin Server, SOA Servers, and Oracle Identity Manager Servers.

    • Shutting down Oracle Identity Governance server might take a long time if it is done with force=false option. It is recommended that you force shutdown Oracle Identity Governance server.

    • For EDG implementations, this script must be run against the mserver domain directory rather than the server domain directory.

    • The UNIX user applying opatch must have read, write, and execute permissions on both OIM_ORACLE_HOME as well as WEBLOGIC_DOMAIN_HOME. You can verify this manually in the file system for DOMAIN_HOME and OIM_ORACLE_HOME.

    • The patch_oim_wls script is re-entrant and can be run again if a failure occurs.

Understanding the Process Sequence With an Example

If you have OIM_ORACLE_HOME_A and OIM_ORACLE_HOME_B, and OIM_ORACLE_HOME_A is running WebLogic Admin Server, oim_server1, and soa_server1, and OIM_ORACLE_HOME_B is running oim_server2 and soa_server2, then the following is the process sequence to apply the bundle patch to the Oracle Identity Manager instance:
  1. Shutdown the Oracle Identity Manager, and ensure that the WebLogic Admin Server and SOA managed servers are running.
  2. Run 'Opatch apply' on OIM_ORACLE_HOME_A. See Stage 1: Patching the Oracle Binaries (OPatch Stage) for more information.
  3. Run 'Opatch apply' on OIM_ORACLE_HOME_B. See Stage 1: Patching the Oracle Binaries (OPatch Stage) for more information.
  4. Fill-in the patch_oim_wls.profile file and run 'patch_oim_wls' or 'patch_oim_was' on OIM_ORACLE_HOME_A or OIM_ORACLE_HOME_B.

    See Stage 2: Filling in the patch_oim_wls.profile File for information on filling in the patch_oim_wls.profile.

    See Stage 3: Patching the Oracle Identity Manager Managed Servers (patch_oim_wls Stage) for information about running patch_oim_wls.

  5. Restart the managed servers on all the nodes.

Removing the Bundle Patch

If you must remove the bundle patch after it is applied, then perform the following steps:

Note:

For clustered installations, perform steps 1 through 3 on all nodes in the cluster.
  1. Perform the same verification steps and requirement checks that you made before applying the bundle patch. For example, verify the OUI Inventory and stop all services running from the ORACLE_HOME.
  2. Move to the directory where the bundle patch was unzipped. For example:
    cd PATCH_TOP/27363471
  3. Run OPatch as follows to remove the bundle patch:
    opatch rollback -id 27363471
  4. Restore OIM_ORACLE_HOME, the WebLogic domain home from the backup created before applying the patch.
  5. Restore the Oracle Identity Manager database using the backup you created in Step 1 of Applying the Bundle Patch to an Existing Instance.

    Note:

    To disable the role hierarchy evaluation, go to the Configuration properties section in the Identity System Administration, set the value of the XL.AllowRoleHierarchicalPolicyEval system property to FALSE, and then restart Oracle Identity Manager server.

Applying the Bundle Patch to a New Instance

Perform the following steps to apply the bundle patch to a new instance:

Installing a New Oracle Identity Governance Instance with Bundle Patch 12.2.1.3.180109

Perform the following steps to apply the bundle patch to a new Oracle Identity Governance instance. You can perform the same steps for clustered deployments.

Note:

For clustered deployments, perform the steps provided in this section on each node in the cluster.
  1. Install Oracle WebLogic Server. See Installing and Configuring Oracle Identity and Access Management at the following URL:
  2. Create the Oracle Identity Governance database schema. See Installing and Configuring Oracle Identity and Access Management.
  3. Install SOA and Oracle Identity Governance. See Installing and Configuring Oracle Identity and Access Management.
  4. Apply patch using Opatch, as described in Stage 1: Patching the Oracle Binaries (OPatch Stage).

    Note:

    If you are creating a new environment, then it is recommended that this step is performed before creating or extending the domain with Oracle Identity Governance.

  5. Create domain by launching configuration wizard as specified in the Installing and Configuring Oracle Identity and Access Management.
  6. Start the WebLogic Admin Server and SOA Server.

    Before starting the WebLogic Admin Server and SOA Server on Microsoft Windows, edit the startWeblogic.cmd file, and replace:

    call "%COMMON_ORACLE_HOME%\bin\wlst.cmd"           
%COMMON_ORACLE_HOME%\tools\configureSecurityStore.py -d           
%DOMAIN_HOME% -m validate

    With the following:

    call "FULL_PATH_TO_WLST_SCRIPT\wlst.cmd"
%COMMON_ORACLE_HOME%\tools\configureSecurityStore.py -d
%DOMAIN_HOME% -m validate

    Here, an example for FULL_PATH_TO_WLST_SCRIPT can be MW_HOME\oracle_common\common\bin\.

  7. Use Oracle Universal Installer to configure Oracle Identity Governance by running config.sh.
  8. Stop and restart the WebLogic Admin Server and SOA Server.
  9. Fill in the patch_oim_wls.profile file by referring to Stage 2: Filling in the patch_oim_wls.profile File.
  10. Run patch_oim_wls.sh (on UNIX) and patch_oim_wls.bat (on Microsoft Windows) to complete patching the domain. This step must be run on the ORACLE_HOME directory of the Oracle Identity Governance Managed Server. For more information, see Stage 3: Patching the Oracle Identity Manager Managed Servers (patch_oim_wls Stage).

    Note:

    Before running the patch_oim_wls script, make sure that WebLogic Admin server and SOA servers are in running state.
  11. Stop and restart the WebLogic Admin Server, SOA Server, and Oracle Identity Governance server.

Postinstallation Configuration

After installing a new Oracle Identity Manager instance with Bundle Patch 12.2.1.3.180109, perform the following post installation configuration step:

In Oracle Identity Governance deployment that is integrated with Oracle Access Manager (OAM), during user password change, the password change confirmation popup message is not displayed.

If you want to display this popup so that it is consistent with rest of the UI, then add a new system property with OIM.PasswordRedirectEnabled as the keyword by using the System Management, System Properties section of the Advanced Administration Console, and set its value to FALSE.

If this property is not present, then the value is defaulted to TRUE. If the value is TRUE, then the user is redirected to the Tasks page after the change password operation.

Updating Oracle Identity Manager Web Applications

The procedure described in this section is applicable only when installing bundle patches for Oracle Identity Manager and not for installing patch set updates.

For updating your web applications on Oracle WebLogic Server:

  1. Stop Oracle Identity Governance Managed Server.
  2. Login to WebLogic Administrative Console.
  3. Click Lock & Edit.
  4. Go to Deployments.
  5. Select the oracle.iam.ui.view and oracle.iam.ui.model app, and click Update. Complete the steps of the wizard by clicking Next. Do not change anything.
  6. Click Apply Changes.
  7. Start Oracle Identity Manager Managed Server.

Configuring Oracle Identity Governance-Oracle Access Manager Integration (Optional)

This bundle patch release supports integration of Oracle Identity Governance (OIG) and Oracle Access Manager (OAM) using Connectors. For more information see, Integrating Oracle Identity Governance and Oracle Access Manager Using LDAP Connectors in Integration Guide for Oracle Identity Management Suite.

Changes in Track Request Functionality

Track Request functionality will change after this Bundle Patch is applied.

When a user performs a search in Self Service tab, Track Requests page, and in the search result table, applies Show list option as For Reportees, all the requests raised by or for the logged in user and user's direct and indirect reportee are displayed.

In the search result table, user has to select a Show list option and click Search. Oracle Identity Manager will not trigger a search action until user clicks on Search.

IP Filter Related Updates

IP Filter (IPF) related updates are not part of the Oracle Identity Governance bundle patch release. For instructions on how to download and applying the IPF one-off bundle patch, see My Oracle Support document ID 2383246.1.

Resolved Issues

The following section lists the issues resolved in Release 12.2.1.3.180109:

Resolved Issues in Release 12.2.1.3.180109

Applying this bundle patch resolves the issues listed in Table 1-2.

Table 1-2 Resolved Issues in Release 12.2.1.3.180109

Bug Number Description

23110063

IMPLEMENTATION OF BULK ATTRIBUTES UPDATE FOR AN ACCOUNT IMPACTS OTHER ACCOUNTS

23337308

CERTIFICATION COLUMN NAME "CREATED BY" AND "UPDATED BY" DISPLAYS USR_KEY

25540355

PS3PARITY:"USER TYPE" VALUE DOESN'T GET SELECTED ON FIRST ATTEMPT

26164709

LOG4J.JAR NOT UPDATED IN SETENV.BAT

26434476

WAITING ON ENTITLEMENT STATUS, PATCH 25292874

26592805

USERS SHOULD NOT BE ABLE TO REVOKE ENT THAT IS PART OF ROLE FROM THEIR MY ACCESS

26615293

SEARCH ON CERTIFICATION DEFINITION CONTENT SELECTION PAGE RETURNS ONLY 28 ROLES

26625354

CERTIF ROLE POLICY TAB CATALOG INFO ENTITLEMENT URL SHOW NO ENTITLEMENT DETIALS

26639196

REPLACE EXISTING SEARCH IN CERT. DEF FLOW RESULTS IN ERROR PAGE AND NPE

26732357

CERTIFCATION RESET STATUS CAUSING NPE

26808282

DATASOURCE CONNECTION LEAK AFTER BUG 20293874

26811926

LIBRARIES FOR MANAGED BEANS AND TASK FLOWS ARE MISSING IN 12C

26863966

SEARCH RETURNS REQUESTS FOR REPORTEES AND NON-REPORTEES FOR R2PS2

26895672

OAM_OIM_OVD_OID_UPG: USER CREATION IS FAILED 

27025966

THIS IS THE TRACKER BUG FOR EPIC OIM-11380

27037128

Fix for Bug 27037128

27110896

BE CONSISTENT WITH SPECIFYING PARAMETERS IN OAM/OIM INTEGRATION

27112593

ERROR WHEN GETTING CONNECTOR SERVER DETAILS BY NON SYSTEM ADMINISTRATOR

27119849

NLS : ISSUE WHILE SETTING CHALLENGE QUESTIONS WHEN FIRST LOGIN

27133948

OIM-OAM-OUD: ADMIN FAILED TO UNLOCK A SELF LOCKED ACCOUNT

27139528

Fix for Bug 27139528

27175826

OIM-OAM-AD: CONFIGURELDAPCONNECTOR FAILED CONNECTOR PACKAGE IS NOT AVAILABLE

27203691

OIM-OAM-OUD: SSO GROUP MEMBERSHIP INCREMENTAL RECONCILIATION DO NOT WORK 

27298564

REPLACE EXISTING SEARCH IN CERT DEF FLOW RESULTING CERT IS NOT GETTING GENERATED 

27300245

OIM-OAM-OID: USER SESSION IS NOT TERMINATED WHEN IT IS DELETED BY ADMIN

27313843

12C BP01: USER SESSION IS NOT TERMINATED WHEN IT IS LOCKED OR DISABLED BY ADMIN

Known Issues and Workarounds

Known issues and their workarounds in Oracle Identity Governance Release 12.2.1.3 are described in the Oracle Identity Governance chapter of the Release Notes for Oracle Identity Management document. You can access the Release Notes document in the Oracle Identity Management Documentation library at the following URL:

https://docs.oracle.com/middleware/12213/idmsuite/IDMRN/toc.htm

Note:

Some known issues listed in the Release Notes for Oracle Identity Management may have been resolved by this Bundle Patch (Oracle Identity Governance Release 12.2.1.3.180109). Compare the issues listed in Resolved Issues of this document when reviewing the Release Notes for Oracle Identity Management.

This section describes the issues and workarounds in this BP release of Oracle Identity Governance:

LDAP User Create and Update Reconciliation Job Fails in Integrated and Upgraded Environment

Issue

Impacted Releases: 12c Release (12.2.1.3.0)

When Oracle Identity Governance Release 11.1.2.3 deployment is integrated with Oracle Access Management, libOVD, and Oracle Unified Directory, and upgraded to Release 12c (12.2.1.3.0), the LDAP User Create and Update Reconciliation scheduled job run fails with the following error when a new user is created and its status is set to locked in the system: 

[2017-06-05T23:39:53.833-07:00] [oim_server1] [ERROR] []
[oracle.iam.ldapsync.scheduletasks.user] [tid: OIMQuartzScheduler_Worker-8]
[userId: oiminternal] [ecid: b2fc7981-724e-474c-b009-8a5e2d915d52-000008e9,0]
[APP: oim] [partition-name: DOMAIN] [tenant-name: GLOBAL] An error occurred
while processing the data that is retrieved from LDAP to create a
reconciliation event.[[
oracle.iam.ldapsync.exception.ReconEventCreationException:
Thor.API.Exceptions.tcAPIException: Exception occurred while inserting data
into table RA_LDAPUSER due to java.sql.SQLException: execute, Exception =
null
        at
oracle.iam.ldapsync.scheduletasks.user.LDAPUserChangesReconTask.createUserReco
nciliationEvent(LDAPUserChangesReconTask.java:435)
        at
oracle.iam.ldapsync.scheduletasks.user.LDAPUserChangesReconTask.processResult(
LDAPUserChangesReconTask.java:179)
        at
oracle.iam.ldapsync.scheduletasks.user.LDAPUserChangesReconTask.execute(LDAPUs
erChangesReconTask.java:132)
...
Caused by: Thor.API.Exceptions.tcAPIException: Exception occurred while
inserting data into table RA_LDAPUSER due to java.sql.SQLException: execute,
Exception = null
        at
oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.createReconciliation
Event(ReconOperationsServiceImpl.java:431)
        at
oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.createReconciliation
Event(ReconOperationsServiceImpl.java:418)
...
Caused by: oracle.iam.reconciliation.exception.ReconciliationException:
Exception occurred while inserting data into table RA_LDAPUSER due to
java.sql.SQLException: execute, Exception = null
        at
oracle.iam.reconciliation.impl.ReconOperationsServiceImpl$1.process(ReconOpera
tionsServiceImpl.java:489)
        at
oracle.iam.reconciliation.impl.ReconOperationsServiceImpl$1.process(ReconOpera
tionsServiceImpl.java:467)
        at
oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCa
llback.java:13)
        at
oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCa
llback.java:6)
        at
org.springframework.transaction.support.TransactionTemplate.execute(Transactio
nTemplate.java:130)
        at
oracle.iam.platform.tx.OIMTransactionManager.executeTransaction(OIMTransaction
Manager.java:47)
        at
oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.reconEvent(ReconOper
ationsServiceImpl.java:467)
        at
oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.createReconciliation
Event(ReconOperationsServiceImpl.java:406)
        at
oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.createReconciliation
Event(ReconOperationsServiceImpl.java:429)
        ... 44 more
Caused by: oracle.iam.platform.utils.SuperRuntimeException:
java.sql.SQLException: execute, Exception = null
        at
oracle.iam.reconciliation.dao.event.EventMgmtDao.create(EventMgmtDao.java:244)

        at
oracle.iam.reconciliation.impl.ReconOperationsServiceImpl$1.process(ReconOpera
tionsServiceImpl.java:478)
        ... 52 more
Caused by: java.sql.SQLException: execute, Exception = null
        at
weblogic.jdbc.wrapper.JDBCWrapperImpl.invocationExceptionHandler(JDBCWrapperIm
pl.java:143)
        at
weblogic.jdbc.wrapper.Statement.invocationExceptionHandler(Statement.java:142)

        at
weblogic.jdbc.wrapper.PreparedStatement.invocationExceptionHandler(PreparedSta
tement.java:100)
        at
weblogic.jdbc.wrapper.PreparedStatement.execute(PreparedStatement.java:125)
        at
oracle.iam.reconciliation.dao.event.EventMgmtDao.create(EventMgmtDao.java:234)

        ... 53 more
Caused by: java.lang.NullPointerException
        at
oracle.jdbc.driver.OracleSql.setNamedParameters(OracleSql.java:174)
        at
oracle.jdbc.driver.OracleCallableStatement.execute(OracleCallableStatement.jav
a:4229)
        at
oracle.jdbc.driver.OraclePreparedStatementWrapper.execute(OraclePreparedStatem
entWrapper.java:1080)
        at
weblogic.jdbc.wrapper.PreparedStatement.execute(PreparedStatement.java:119)
        ... 54 more

Workaround

As a workaround to this issue, before running the LDAP User Create and Update Reconciliation scheduled job:

  1. Login to My Oracle Support website at:

    https://support.oracle.com

  2. Search and download JDBC patch p26400304_122130_Generic.zip.

  3. Apply the JDBC patch.

  4. Run the LDAP User Create and Update Reconciliation scheduled job.

IT Resource Password is Updated as Null

Issue

Impacted Releases: 12c Release (12.2.1.3.0)

When Oracle Identity Governance is upgraded from Release 11g (11.1.2.3.0) to Release 12c (12.2.1.3.0), password of IT resources like Directory Server, Email Provider Definition - UMS, and OIA-ITRes are updated in Credential Store (CSF) as Null. This causes LDAP operations associated with these IT resources to fail.

Workaround

After upgrade, bring OIG Server up and immediately reset password for these IT resources types, Directory Server, Email Provider Definition - UMS, and OIA-ITRes.

To reset the IT resources password:

  1. Login to Oracle Identity System Administration.

  2. Locate the IT Resource for which you want to reset the password.

  3. For Directory Server edit the Admin Password parameter value and for Email Provider Definition - UMS and OIA-ITRes edit the Password parameter value.

For detailed steps on how to search and modify IT Resources parameters, see Managing IT Resources in Administering Oracle Identity Governance.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Related Documents

For more information, see the following resources:

Oracle Fusion Middleware Oracle Identity Governance Bundle Patch Readme, 12c (12.2.1.3.1)

E96127-02

Copyright © 2018, , Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.