4 Oracle Access Management

Known issues and workarounds for Oracle Access Management include general issues and configuration issues.

Topics

• Access Management Known Issues and Workarounds

• Access Management Console Issues

• Features Not Supported in Access Manager

Note:

See What's New in Oracle Access Management for information about new features in this release of Oracle Access Management.

4.1 Access Management Known Issues and Workarounds

This topic describes known issues and workaround for Oracle Access Management. It includes the following topics:

• IHS 9 Web Server Crashes after Configuring WebGate 12cPS4 for AIX Platform

• Exception Occurs After 12c IIS WebGate Restarts or Stops

• JPS Library Error Causing ASDK Initializing Failure

• Takes time to propagate a policy or any metadata change

• User name field in SME UI is case sensitive

• Unused References in OAM console

• Deprecated Java Policy

• Test-to-Production Not Supported in OAM

• chghost Tool does not Work with OAM

• Exception occurs while using OAM Access Tester Tool

• Simple Security Mode Does Not Function with OAM Server

4.1.1 IHS 9 Web Server Crashes after Configuring WebGate 12cPS4 for AIX Platform

Issue

IHS 9 web server crashes after configuring WebGate 12cPS4 for AIX 7.1 platform.

Workaround

On AIX platform, set the environment variable LDR_PRELOAD64 to libclntsh.so before configuring the WebGate. For example:

export LDR_PRELOAD64=libclntsh.so

4.1.2 Exception Occurs After 12c IIS WebGate Restarts or Stops

Issue

After the IIS Server is restarted or stopped, an exception occurs and a pop-up Window appears.

Workaround

Click Cancel on the pop-up window and proceed.

4.1.3 JPS Library Error Causing ASDK Initializing Failure

Issue

Running the oamasdk libraries for initialization of Access Client using jps-api.jar, jps-manifest.jar, and opss-manifest.jar returns the following error:

SEVERE: Oracle Access SDK initialization failed.

java.lang.NullPointerException
at
oracle.security.opss.internal.service.config.OPSSConfigurationServiceImpl.getD
efaultBootstrapConfiguration(OPSSConfigurationServiceImpl.java:260)
at
oracle.security.opss.internal.service.config.RuntimeConfigurationServiceImpl.g
etDefaultBootstrapConfiguration(RuntimeConfigurationServiceImpl.java:313)
at
oracle.security.opss.internal.runtime.ServiceContextManagerImpl.initBootstrap(
ServiceContextManagerImpl.java:173)
at
oracle.security.opss.internal.runtime.ServiceContextManagerImpl.initBootstrap(
ServiceContextManagerImpl.java:154)at
oracle.security.opss.internal.runtime.ServiceContextManagerImpl.initBootstrap(
ServiceContextManagerImpl.java:148)
at
oracle.security.jps.internal.config.OpssCommonStartup$3.run(OpssCommonStartup.
java:401)
at java.security.AccessController.doPrivileged(Native Method)
at
oracle.security.jps.internal.config.OpssCommonStartup.preStart(OpssCommonStart
up.java:357)
at oracle.security.jps.JpsStartup.preStart(JpsStartup.java:389)
at oracle.security.jps.JpsStartup.start(JpsStartup.java:228)
at
oracle.security.opss.internal.core.runtime.ContextFactoryProxy.checkInit(Conte
xtFactoryProxy.java:201)
at
oracle.security.opss.internal.core.runtime.ContextFactoryProxy.getContext(Cont
extFactoryProxy.java:139)

Workaround

1. Update the class path to include the following jars:
   • oracle_common/modules/oracle.igf/igf-manifest.jar
   • oracle_common/modules/oracle.idm/identitystore.jar
2. Pass the -Dopss.tenant.mode=JPS_AP argument as a JVM option while running the ASDK code.

4.1.4 Takes time to propagate a policy or any metadata change

Issue

Set the password policy option to "Disallow previous passwords" and create a new password using the previously used password. The password can still be created.

Workaround

When you perform any change to the policy, it takes time to propagate across the OAM cluster. You should wait for a minimum of 60 seconds or more if the network is slow for the changes to take effect. It is recommended that the changes be made when the OAM servers are offline

4.1.5 User name field in SME UI is case sensitive

Issue

OAM console based session management search is case sensitive.

4.1.6 Unused References in OAM console

Issue

Following are the references in OAM console that are unused:

• Access Portal

• OAuth Service

• Allow OAuth Token

• Token Issuance Policies

• Access Portal Service Settings

4.1.7 Deprecated Java Policy

For Upgrade Customers, refer java policy. See TLS1.2 Support in Oracle Access Management

4.1.8 Test-to-Production Not Supported in OAM

Issue

OAM does not support Test-to-Production (T2P) tools in this release.

Workaround

To create one or more cloned data centers follow the steps in the procedure, Adding an Additional Clone Data Center to the Existing Multi-Data Center Setup.

4.1.9 chghost Tool does not Work with OAM

Issue

OAM does not support chghost tool in this release.

Workaround

The host:port for primary and secondary servers can be configured using the UI parameters on OAM console.

See Configuring and Managing Registered OAM Agents Using the Console

The webgate profiles and policies on OAM server use the import/export partners or Bulk updates for Webgates.

See

• Import Partners

• Export Partners

• Bulk updates to Webgates

For webgates, you can do either of the following when host and port information is changed:

• Manually edit the host and port information of new OAM server by updating the ObAccessClient.xml at target host.

• You can register the Webgate agent with the new Oracle Access Manager by using the Oracle Access Manager Administration Console and replace the old artifacts.

  See Registering an OAM Agent using the console

  Alternatively, you can use the RREG command-line tool to register a new Webgate agent.

  See Locating and Preparing the RREG Tool and Remote Registration Tools, Modes, and Process

Note:

ObAccessClient.xml can be found at webgate_instance_dir (${Oracle_Home}/user_projects/domains/$(DOMAIN_HOME)/config/fmwconfig/components/OHS/ohs1/webgate/config/ObAccessClient.xml)

4.1.10 Exception occurs while using OAM Access Tester Tool

Issue

In OAM Access Tester tool, after entering sever connection details and clicking on Connect button, the connection will be established but with the following exception.

In Access Tester Console:

SEVERE: Server reported that incorrect NAP version is being used, while client attempted to communicate using NAP version 5. See server log for more information.

Stack trace in Server Logs:

<Error> <oracle.oam.proxy.oam> <OAM-04020> <Exception encountered while processing the request message for agent {0} at IP {1} Request message {2} :oracle.security.am.proxy.oam.requesthandler.OAMProxyException: Partner: TestWebgate is registered with version 11.0.0.0. Runtime version of agent is different: 11.* .Agent will not be able to communicate with the server   
at oracle.security.am.proxy.oam.requesthandler.ObAAAServiceServer.getClientAuthentInfo(ObAAAServiceServer.java:159)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.ObAuthenReqChallengeHandler(RequestHandler.java:566)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleRequest(RequestHandler.java:229)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleMessage(RequestHandler.java:180)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean.getResponseMessage(ControllerMessageBean.java:94)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.MessageDrivenLocalObject.invoke(MessageDrivenLocalObject.java:127)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.getResponseMessage(Unknown Source)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.getResponse(ObClientToProxyHandler.java:316)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.messageReceived(ObClientToProxyHandler.java:270)
at org.apache.mina.common.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:743)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.IoFilterEvent.fire(IoFilterEvent.java:54)
at org.apache.mina.common.IoEvent.run(IoEvent.java:62)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:85)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:209)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)
>

Note:

The above exception will be seen while using Access Tester. Access Tester will try to connect with NAP version 5, then with NAP version 4 and followed by NAP version 3 if the former does not work. But, there is no impact on the functionality.

4.1.11 Simple Security Mode Does Not Function with OAM Server

On the AIX Platform, Simple Security Mode does not function with OAM Server.

While registering new Webgate Agent for artifacts generation, select Open or Cert Security Mode in the OAM Server Console.

4.2 Access Management Console Issues

This topic describes Console issues and workaround for Oracle Access Management (Access Manager). It includes the following topic:

• OOB OAM console logout does not work

4.2.1 OOB OAM console logout does not work

Issue

Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, OAM console can be protected using a webgate agent.

Workaround

Close OAM console instead of logout.

Server side session will not be created when OAM console accesses OOB. As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.

4.3 Features Not Supported in Access Manager

This section provides a list of features that are not supported in Acccess Manager releases.

• Features Not Supported in Access Manager 12.2.1.4.0

• Features Not Supported in Access Manager 12.2.1.3.0

4.3.1 Features Not Supported in Access Manager 12.2.1.4.0

The unsupported features are the same as in 12.2.1.3.0 release.

4.3.2 Features Not Supported in Access Manager 12.2.1.3.0

The following table lists the features that will be unsupported from OAM 12.2.1.3.0 and provides the migration path:

Unsupported Features in OAM 12.2.1.3.0	Description	Migration Path
10g OSSO server co-existence	OAM 12c server does not support co-existence with the OSSO servers	Upgrade from OSSO to OAM 11g R2PS3 and then upgrade to OAM 12c.
OpenSSO server co-existence	OAM 12c server does not support co-existence with the OpenSSO server.	Upgrade to OAM 11gR2PS3 and then upgrade to OAM 12c.
OAM 10g server co-existence	OAM 12c server does not support co-existence with OAM 10g server.	Migrate to OAM 12c server.
OpenSSO agents	OpenSSO agents are not supported in the OAM 12c release.	Migrate to supported 12c agents. OAM 11g and 12c WebGates and Accessgates are supported in OAM 12.2.1.3.0
mod_osso	OAM 12c does not support mod OSSO (OSSO Agent Proxy) agents.	Migrate to 12c WebGate agents and upgrade to OAM 12c.
OAM10g WebGate	OAM 12c server does not support OAM 10 WebGates.	Migrate to OAM11g R2PS3 or OAM 12c WebGates Upgrade the server to OAM 12c.
IDMConfigTool	OAM 12c does not support the following commands and attributes: prepareIDStore= FUSION prepareIDStore= OAAM configPolicyStore configOVD disableOVDAccessConfig postProvConfig validate: All options are not supported ovdConfigUpgrade upgradeOIMTo11gWebgate POLICYSTORE_SHARES_IDSTORE SPLIT_DOMAIN
IAMSuiteAgent	OAM 12c does not support IAMSuiteAgent. Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, this is done using default OOB Login page. As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.
Oracle Mobile Security Suite (OMSS)	OAM 12c does not support OMSS.	It is recommeded to use OpenID Connect. For details, see OIDC Client Integrations with Social Identity Providers.
Security Token Service (STS)	OAM 12c does not support STS.	It is recommeded to use OAuth. For details, see Understanding OAuth Services

Note:

There is no 12c version of Oracle Adaptive Access Manager (OAAM), continue to use OAAM 11g with OAM 12c.

In 12c, for mobile and social login usecases, we recommend customers to use standard OAuth. We are deprecating proprietary way of achieving these use cases so that the customers can move to a more standards-based approach that would allow better interoperability. The following services are deprecated in 12c:

• Mobile and Social Services

• Mobile OAuth Service

• Security Token Service

• Access Portal Service