This chapter describes issues associated with Oracle Fusion Middleware administration. It includes the following topics:
This section describes configuration issues and their workarounds. It includes the following topics:
Section 4.1.1, "Limitations in Moving from Test to Production"
Section 4.1.2, "SSL Certificate Chain Required on Certain Browsers"
Note the following limitations in moving from test to production:
When you are moving Oracle Platform Security Services and the data is moving from LDAP to LDAP, the source and target LDAP domain component hierarchy must be same. If it is not, the Oracle Platform Security Services data movement will fail. For example, if the source is hierarchy is configured as dc=us,dc=com, the target LDAP must have the same domain component hierarchy.
On Windows, Node Manager must be shut down before you run the copyConfig script.
If SSL is disabled on the source, any values for the keystores and certificates are copied to the target environment. To work around this issue, take one of the following steps:
Delete the values in the source environment:
In Fusion Middleware Control, for each server, from the WebLogic Server menu, select Administration, then Keystores.
Delete the values for the following:
Demo Identity Keystore Demo Identity Keystore Type Demo Trust Keystore Demo Trust Keystore Type
Click Save.
For each server, from the WebLogic Server menu, select Administration, then SSL.
Delete the values for the following:
Identity and Trust Locations Private Key Location Certificate Locatio Demo Trust Keystore Type
If the source environment is configured with the keystore service, the target is configured with Demo certificates. After you execute the movement scripts, update the target environment to use actual certificates. See "Managing Keys and Certificates with the Keystore Service" in Securing Applications with Oracle Platform Security Services.
After you extract the move plan, edit it, substituting dummy values. However, the passphrase values must be a valid file which can contain any text. Later, if you want to enable SSL on the target system, modify the SSL values.
If the source domain is configured with Custom Identity from a well-known Certificate Authority, the move plan still expects Custom Trust Location and Custom Trust Keystore Password properties. To work around this, you can point to the default trust keystore of the JDK and its password. For example, the default trust keystore of the JDK is located at:
JDK_HOME/jre/lib/security/cacerts
When you move Oracle HTTP Server, the MatchExpression directive is not moved. To work around this:
After the pasteConfig operation completes, check if any MatchExpression string is present in any of the configuration files in the following directory:
DOMAIN_HOME/config/fmwconfig/components/OHS/component_name
If a MatchExpression string exists in any file, update the values with the target endpoints.
When you execute pasteConfig and the archive contains Oracle Platform Security Services, the script may return the following errors:
oracle.security.audit.util.StrictValidationEventHandler handleEvent
WARNING: Failed to validate the xml content. Reason: cvc-complex-type.2.4.b:
The content of element '' is not complete. One of
'{"http://xmlns.oracle.com/ias/audit/audit-2.0.xsd":source}' is expected..
Apr 24, 2013 6:28:29 AM
oracle.security.audit.util.StrictValidationEventHandler handleEvent
WARNING: Failed to validate the xml content. Reason: cvc-complex-type.2.4.b:
The content of element '' is not complete. One of
'{"http://xmlns.oracle.com/ias/audit/audit-2.0.xsd":source}' is expected..
You can ignore these errors.
When you configure SSL for Oracle HTTP Server, you may need to import the entire certificate chain (rootCA, Intermediate CAs and so on).
Certain browsers, for example Internet Explorer, require that the entire certificate chain be imported to the browsers for SSL handshake to work. If your certificate was issued by an intermediate CA, you will need to ensure that the complete chain of certificates is available on the browser or the handshake will fail. If an intermediate certificate in the chain expires, it must be renewed along with all the certificates (such as OHS server) in the chain.
There are no documentation errata at this time.