11 Troubleshooting the Oracle Identity Manager Upgrade

If you encounter errors while upgrading Oracle Identity Manager, review the following troubleshooting procedures.

Note:

The product Oracle Identity Manager is referred to as Oracle Identity Manager (OIM) and Oracle Identity Governance (OIG) interchangeably in the guide.

Topics:

11.1 KeystoreService Exception in the Logs After Reconfiguring the OIM Domain

After you reconfigure the Oracle Identity Manager (OIM) domain, the logs show some exceptions which can be ignored.

The following exceptions are seen in the logs after you reconfigure the OIM domain:
oracle.security.jps.upgrade.tools.KeyStoreUpgrade - Exception in checking for 
jdk cacert store
oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to load
the keystore. 
at oracle.security.jps.internal.keystore.ldap.KeyStoreDataManager.getKeyStore(Key
StoreDataManager.java:987) 
at oracle.security.jps.internal.keystore.ldap.LdapKeyStoreServiceImpl.getKeyStore 
(LdapKeyStoreServiceImpl.java:279) 
at oracle.security.jps.upgrade.tools.KeyStoreUpgrade.importJdkCacerts(KeyStoreUpg 
rade.java:313)
at oracle.security.jps.upgrade.tools.KeyStoreUpgrade.upgradeDITAndData(KeyStoreUp 
grade.java:266) 
at oracle.security.jps.upgrade.tools.utility.Upgrade.upgradeOPSSDITAndData(Upgrad 
e.java:1078)
at oracle.security.jps.upgrade.tools.utility.Upgrade.upgradeOPSS(Upgrade.java:772)
at oracle.security.opss.tools.lifecycle.OpssDomainConfigImpl.reconfigSubsystem(Op 
ssDomainConfigImpl.java:359)
at oracle.security.opss.tools.lifecycle.OpssDomainConfigImpl.initializeSubsystem(
OpssDomainConfigImpl.java:271)
at oracle.security.opss.tools.lifecycle.cie.OpssSecurityConfiguration.initializeS 
ubsystem(OpssSecurityConfiguration.java:188) 
at com.oracle.cie.domain.progress.template.importer.ImporterOPSSProcessingPhase.i 
nitialize(ImporterOPSSProcessingPhase.java:36) 
at com.oracle.cie.domain.progress.domain.generation.OPSSProcessingPhase.processOP 
SS(OPSSProcessingPhase.java:154) 
at com.oracle.cie.domain.progress.domain.generation.OPSSProcessingPhase.execute(O
PSSProcessingPhase.java:54)
at com.oracle.cie.domain.progress.AbstractProgressGenerator.run(AbstractProgressG
enerator.java:94)
at java.lang.Thread.run(Thread.java:745) 
Caused by: java.io.IOException: Keystore publiccacerts in app stripe system 
does not exist
at oracle.security.jps.internal.keystore.provider.FarmKeyStoreSpi.engineLoad(Farm 
KeyStoreSpi.java:606)
at java.security.KeyStore.load(KeyStore.java:1479) 
at oracle.security.jps.internal.keystore.ldap.KeyStoreDataManager.getKeyStore(Key
StoreDataManager.java:976)

Ignore this warning and proceed.

11.2 Warning when Generating the Pre-Upgrade Report for OIM

When you run the pre-upgrade report utility to generate the pre-upgrade report for Oracle Identity Manager, the audit store instantiation failure warning is seen on the console, which can be ignored.

The following warning is seen on the console when generating the pre-upgrade report for OIM:
WARNING: Audit store instantiation failure, type: db reason:
java.lang.ClassNotFoundException: 
oracle.security.audit.config.dynamic.persistence.internal.ldap.LdapAuditStore
Jul 28, 2016 10:26:05 PM 
oracle.security.jps.az.internal.runtime.service.PDPServiceImpl 
oracle.security.jps.az.internal.runtime.service.PDPServiceImpl 
SEVERE: Cannot read the default policy store.
oracle.security.jps.service.policystore.PolicyStoreException:
oracle.security.jps.az.internal.management.pd.PD 
at oracle.security.jps.az.common.pd.service.PDServiceFinder.getPolicyDistribution
Service(PDServiceFinder.java:65)
at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.initializeMixed
Mode(PDPServiceImpl.java:714) 
at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.initial(PDPServ
iceImpl.java:685) 
Ignore this warning and proceed.

11.3 OIM Bootstrap for DEPLOYSOACOMPOSITES Task Fails After Upgrade

After you complete the Oracle Identity Manager upgrade, when you start the Oracle Identity Manager Managed Servers for the first time, bootstrapping happens. If the OIM bootstrap fails for DEPLOYSOACOMPOSITES task, use the workaround described in this section to resolve the issue.

The following error is seen in the OIM server logs:
<Oct 4, 2016, 4:53:51,904 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <FROM THREAD:Processing sar=/scratch/mw12c/idm/server/workflows/composites/scajars/sca_DefaultRequest Approval_rev5.0.jar>
<Oct 4, 2016, 4:53:51,906 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <FROM THREAD:Adding sar file -/scratch/mw12c/idm/server/workflows/composites/scajars/sca_DefaultRequestAppro val_rev5.0.jar>
<Oct 4, 2016, 4:53:52,40 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <FROM THREAD:INFO: Creating HTTP connection to host:slc09pqg.us.oracle.com, port:16230>
<Oct 4, 2016, 4:53:54,694 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <FROM THREAD:INFO: Received HTTP response from the server, response code=500>
<Oct 4, 2016, 4:53:54,695 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <FROM THREAD:---->Response code=500, error:There was an error deploying the composite on soa_server1: keepInstancesOnRedeploy flag can only be used with BPM enabled installation..>
<Oct 4, 2016, 4:53:54,696 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <FROM THREAD:> <Oct 4, 2016, 4:53:54,964 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <Completed the script Command execution.>
<Oct 4, 2016, 4:53:54,965 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <The logs are written to file :/tmp/deploySOAComposites_1475582008428.log>
<Oct 4, 2016, 4:53:54,966 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <  [OIM_CONFIG] Error while executing the wlst script /tmp/deploySOAComposites_1475582008428.py>
<Oct 4, 2016, 4:53:54,967 AM PDT> <Error> <oracle.iam.OIMPostConfigManager>
<BEA-000000> < Error while executing the wlst script /tmp/deploySOAComposites_1475582008428.py>
<Oct 4, 2016, 4:53:54,967 AM PDT> <Error> <oracle.iam.OIMPostConfigManager>
<BEA-000000> < Error while executing the wlst script /tmp/deploySOAComposites_1475582008428.py>
<Oct 4, 2016, 4:53:54,967 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <  deploySOAComposites() Failed.>
<Oct 4, 2016, 4:53:54,968 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <  Forced deployment of 12c SOA composite failed.>
<Oct 4, 2016, 4:53:54,968 AM PDT> <Warning> <oracle.iam.OIMPostConfigManager> 
<BEA-000000> <   Unable to deploy te SOA Composites.>
<Oct 4, 2016, 4:53:54,968 AM PDT> <Warning> <oracle.iam.OIMPostConfigManager> 
<BEA-000000> <   Unable to deploy te SOA Composites.>
<Oct 4, 2016, 4:53:54,969 AM PDT> <Info> <oracle.iam.OIMPostConfigManager>
<BEA-000000> <Reason of fail :Error occurred while deploying the 12c SOA composite>
The following error is seen in the Oracle SOA Suite (SOA) server logs:
<Oct 4, 2016, 2:57:30,535 AM PDT> <Error> <ServletContext-/soa-infra>
<BEA-000000> <Error during deployment  
oracle.fabric.common.FabricDeploymentException: keepInstancesOnRedeploy flag 
can only be used with BPM enabled installation. {rootCauses=[]}  
at oracle.integration.platform.blocks.deploy.servlet.DeployProcessor.doDeployWork 
(DeployProcessor.java:582)  
at oracle.integration.platform.blocks.deploy.servlet.DeployProcessor.doDeployWork 
(DeployProcessor.java:473)  
at oracle.integration.platform.blocks.deploy.servlet.DeployProcessor.doDeploy(Dep 
loyProcessor.java:282)  
at oracle.integration.platform.blocks.deploy.servlet.DeployProcessor.process(Depl 
oyProcessor.java:168)  
at oracle.integration.platform.blocks.deploy.servlet.CompositeDeployerServlet.doP 
ostInsideLoggingSession(CompositeDeployerServlet.java:250)  
Truncated. see log file for complete stacktrace  
<Oct 4, 2016, 2:57:30,553 AM PDT> <Error> 
<oracle.integration.platform.blocks.deploy.servlet> <SOA-21537> <Sending back 
error message: There was an error deploying the composite on soa_server1: 
keepInstancesOnRedeploy flag can only be used with BPM enabled
installation...>

To resolve this issue, start the Oracle SOA Suite server with the following property:

-Dbpm.enabled=true

This completes the OIM bootstrap tasks successfully. After the successful completion of OIM bootstrap tasks, restart all of the servers. This time, do not use the property -Dbpm.enabled=true for starting the SOA server. When you start the Managed Servers for the first time after upgrade, start them with the Administration Server URL.

11.4 Authorization Policy Merge Issue

Oracle Identity Manager 11.1.2.3.0 has two Oracle Platform Security Services (OPSS) application policy stripes namely oim and OracleIdentityManager, whereas Oracle Identity Governance 12.2.1.3 has only one OPSS application policy stripe named oim. The 12c upgrade process handles the merging of application stripes into one along with all the customization, at various phases.

If you encounter any error or issue related to OPSS application policies after upgrade, or if you find the policies in inconsistent state, complete the following steps to restore the OPSS application policies:

  1. The Authorization policy backup for OIM lying in OPSS schema is taken by the 12c pre-upgrade utility. This backup folder is located at oim.outputreportfolder/Auth-Policy-Backup.
    oim.outputreportfolder is the name of the pre-upgrade report output folder specified by you in the preupgrade_report_input.properties file when you ran the pre-upgrade utility.
    The backup folder contains the following files:
    • oim.outputreportfolder/Auth-Policy-Backup/oim.xml — This is for oim application policy stripe of 11.1.2.3.0.

    • oim.outputreportfolder/Auth-Policy-Backup/OracleIdentityManager.xml — This is for OracleIdentityManager application policy stripe of 11.1.2.3.0.

    Restore these stripes data in OIM database using the following WLST offline commands:

    • migrateSecurityStore(type="appPolicies", srcApp="OracleIdentityManager ", configFile="DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml", src="desContextOracle", dst="migrateStripe",overWrite="true")

    • migrateSecurityStore(type="appPolicies", srcApp="oim", configFile="DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml", src="desContextOIM", dst="migrateStripe",overWrite="true")

    In the above commands, DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml file is a copy of the DOMAIN_HOME/config/fmwconfig/jps-config.xml file. The following service instances and JPS contexts are added in this file:

    <serviceInstance name="serviceInsOracle" provider="policystore.xml.provider" location="<oim.outputreportfolder>/Auth-Policy-Backup/OracleIdentityManager.xml"/> <serviceInstance name="serviceInsOIM" provider="policystore.xml.provider" location="<oim.outputreportfolder>/Auth-Policy-Backup/oim.xml"/>
    
    
    <jpsContext name="desContextOracle">
    <serviceInstanceRef ref="serviceInsOracle"/>
    </jpsContext>
    <jpsContext name="desContextOIM">
    <serviceInstanceRef ref="serviceInsOIM"/>
    </jpsContext>
    <jpsContext name="migrateStripe">
    <serviceInstanceRef ref="policystore.db"/>
    </jpdContext>
    
  2. Migrate the OracleIdentityManager stripe to oim stripe using the following WLST offline command:

    migrateSecurityStore(type="appPolicies", srcApp="OracleIdentityManager", dstApp="oim", configFile=DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml, src="migrateStripe", dst="migrateStripe",overWrite="false")

  3. Merge the 12c Out Of The Box application policies on OIM 11.1.2.3.0 application policy stripe named as oim by doing the following:
    1. Unzip the 12c_Middleware_Home/idm/common/templates/wls/oracle.OIM.reconfig.template_1 2.2.1.2.0.jar file to any temporary location. This temporary location is referred to as unzip_location.
    2. Verify that the file unzip_location/security/authorization/jazn-data.xml exists.
    3. Run the following WLST offline command:
      migrateSecurityStore(type="appPolicies", srcApp="oim", configFile=DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml, src="12c_context", dst="migrateStripe",overWrite="false")
      The following service instances and JPS contexts are added in the DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml file:
      <serviceInstance name="serviceIns12c_context" 
      provider="policystore.xml.provide" 
      location="unzip_location/security/authorization/jazn-dara.xml"/>
      <jpsContext name="12c_context">
      <serviceInstanceRef ref="service12c_context"/>
      </jpsContext>
      
    4. Delete the OracleIdentityManager stripe using the following WLST command:
      deleteAppPolicies(appStripe="OracleIdentityManager")

11.5 MAR Update or Metadata Merge Issue

When you start the Oracle Identity Manager Managed Severs for the first time after upgrade, if you encounter any error during the bootstrap process which is related to MARUPDATE bootstrap task, run the external utility mergeMDSDataAfterUpgrade.sh from the 12c Middleware Home to re-trigger the Metadata Services (MDS) merge process.

The upgrade utility merges the existing 11.1.2.3.0 MDS data with 12c Out of the Box (OOTB) to preserve the customization.

When you start the OIM Managed Server for the first time, if you encounter errors for MARUPDATE bootstrap task, check if the issue is occurring during the MDS merge process. If so, run an external utility to re-trigger the MDS merge process as described in this section.

To check if the issue is occurring during the MDS merge process, do the following:
  1. Connect to the Oracle Identity Manager database.

  2. Use the following SQL query to check the status of the MARUPDATE bootstrap task:

    select State from OIMBootState where  FEATURENAME='MARUPDATE';
    
  3. If the query returns VALID or COMPLETE, the issue is not because of the MDS merge failure. Therefore, no action is required. If the query returns any other result, run the merge utility to re-trigger the MDS merge process.

To re-trigger the MDS merge process using the merge utility, complete the following steps:
  1. The OIM pre-upgrade reports folder must exist on the same machine from which the MDS merge utility is going to be triggered. If the pre-upgrade reports are on a different machine, copy them to the machine from which you wish to run the merge utility. The pre-upgrade report utility takes a back up of the MDS data and saves it in the pre-upgrade reports folder.
    The MDS backup data is located at <oim.outputreportfolder>/MDS-Backup folder. <oim.outputreportfolder> is the path that you specified for the property oim.outputreportfolder in the preupgrade_report_input.properties file, when generating the pre-upgrade reports for OIM.
  2. Run the following command from the location 12c_Middleware_Home/idm/server/bin/mergeMDSDataAfterUpgrade.sh
    You must specify the location of the OIM pre-upgrade reports folder. The MDS merge utility that you triggered merges the MDS backup data from the pre-upgrade reports folder with the 12c data OOTB.
  3. After the successful completion of the MDS merge process, connect to the OIM database and run the following query: update OIMBootState set State=’COMPLETE’ where FEATURENAME=’MARUPDATE’;
  4. Restart the OIM Managed Server.
(Optional) Enter the result of the procedure here.

11.6 Error When Opening ADF DI Excel Sheet After Upgrade

The ADFDI functionality will not work after you upgrade Oracle Identity Manager to 12c (12.2.1.3.0).

After upgrade, when you open the ADF DI spreadsheet in Excel, the following error is displayed:
ADFDI-05587: The client and server versions do not match. Using this version  of the client may result in unexpected behavior or errors.
The client version is 11.1.1.7.0 (6882) but the server at http://host.example.com:22925/identity/adfdiRemoteServlet expects  version 12.2.1.3.0 (16546) using precision 3.

To resolve this, uninstall and reinstall the ADF DI Excel plug-in, and then re-download the Excel.

11.7 Complilation Error When Starting the SOA Server After Upgrade

When you start the Oracle SOA Suite for the first time after upgrade, you may see the compilation error in the SOA server logs.

The following error is displayed in the SOA server logs:
[2016-07-01T02:04:18.239-07:00] [soa_server1] [ERROR] [] 
[oracle.soa.bpel.system] [tid: DaemonWorkThread: '8' of WorkManager: 
'wm/SOAWorkManager'] [userId: ] [ecid: 
4f969dd2-853a-4ddf-be01-0ac2ca0d2210-00000009,0:11854] [APP: soa-infra] 
[partition-name: DOMAIN] [tenant-name: GLOBAL] Error while loading process.[[ 
The process domain is encountering the following errors while loading the 
process "ApprovalProcess" (composite 
"default/DefaultRequestApproval!5.0*soa_c9c16746-016e-40c4-aaea-6ccd2d685cb4") 
. 
: BPEL 1.1 compilation failed. 
This error contained an exception thrown by the underlying process loader 
module. 
Check the exception trace in the log (with logging level set to debug mode). 
If there is a patch installed on the server, verify that the bpelcClasspath 
domain property includes the patch classes.

Check the SOA composites status from Oracle Enterprise Manager console after successful start of the Oracle Identity Manager Managed Server.

If the Enterprise Manager console shows DefaultRequestApproval!5.0 composite status as actively deployed, ignore this one time error.

If you have upgraded your 11g Release 2 (11.1.2.2.0) environments to 11g Release 2 (11.1.2.3.0), and then to 12c (12.2.1.3.0), you will see the compilation error for DefaultRequestApproval!3.0 composite. This composite was in use in 11g Release 2 (11.1.2.2.0). Before you upgraded to 11.1.2.3.0, this composite processed all of the inflight requests. After upgrading to 11.1.2.3.0, all of the new requests go via DefaultRequestApproval!5.0 composite.

DefaultRequestApproval!3.0 is irrelevant when upgrading from 11.1.2.3.0 to 12c (12.2.1.3.0). Therefore, this compilation error can be ignored.

11.8 Warning in Oracle Identity Manager Server Logs After Upgrade

After upgrade, the Oracle Identity Manager (OIM) Server logs show NPE warning, which can be ignored.

After you upgrade Oracle Identity Manager , the following warning is seen in the OIM Server logs for once:
<Warning>  <oracle.iam.platform.entitymgr.impl> <BEA-000000>
<EntityManagerConfigImpl.getEntityConfig()..Can throw NPE with providerType:    
RDBMSChildDataProviderProvider Definition:  type: RDBMSChildDataProvider   className:
oracle.iam.platform.entitymgr.provider.rdbms.RDBMSChildDataProvider   m_params:  
parent_id_column : name:parent_id_column type:string required:true  multiValued:falseid_sequence : name:id_sequence type:string required:false multiValued:false  
table : name:table type:string required:true multiValued:false  
data_level_column : name:data_level_column type:string required:false  
multiValued:false  modify_timestamp_column : name:modify_timestamp_column type:stringrequired:false multiValued:false  
id_column : name:id_column type:string required:true multiValued:false  
optimistic_locking : name:optimistic_locking type:boolean required:true  
multiValued:false  
 paramName: id_type>  
<Apr 18, 2017 9:52:54,122 AM PDT> <Warning>  
<oracle.iam.platform.entitymgr.impl> <IAM-0040000> <Cannot load entity  
definition - java.lang.NullPointerException  at  
oracle.iam.platform.entitymgr.impl.EntityManagerConfigImpl.getEntityConfig(Ent  
ityManagerConfigImpl.java:1164)  at  
oracle.iam.platform.entitymgr.impl.EntityManagerConfigImpl.getEntityConfig(Ent  
ityManagerConfigImpl.java:1242)

This warning can be ignored.

11.9 Default Challenges Questions are not Updated After Upgrade

After you upgrade Oracle Identity Manager 11.1.2.3.0 to 12c, the default challenge questions are not updated. It still shows the old or existing challenge questions.

If you are using default password policy with default challenge questions, you must modify them manually post upgrade per your organization needs to have a better security.

11.10 OPSS Processing Error When Reconfiguring the Domain

When you upgrade a Oracle Identity Manager in an integrated environment, the OPSS processing error is encountered.

The following exception is seen when you run reconfig.sh command to reconfigure the Oracle Identity Manager domain:
SEVERE [93] com.oracle.cie.domain.progress.AbstractProgressGenerator - Error occurred in 
phase {OPSS Processing} execution. 
java.lang.IllegalStateException: SecurityContext: Domain Name: IAMGovernanceDomain 
JDBC URL: opss-audit-DBDS:jdbc:oracle:thin:@//slc03rmj.us.oracle.com:1521/IDMDB.US.ORACLE.COM 
JDBC URL: opss-data-source:jdbc:oracle:thin:@//slc03rmj.us.oracle.com:1521/idmdb.us.orac 
le.com 
Caused by: java.security.InvalidKeyException: Illegal key size         
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1039)         
at javax.crypto.Cipher.implInit(Cipher.java:805)         
at javax.crypto.Cipher.chooseProvider(Cipher.java:864)         
at javax.crypto.Cipher.init(Cipher.java:1396)         
at javax.crypto.Cipher.init(Cipher.java:1327)

To resolve this issue, do the following:

  1. Install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from the following location:
  2. Copy local_policy.jar and US_export_policy.jar files to the location JAVA_HOME/jre/lib/security/. If the files already exist in the destination folder, overwrite them.

11.11 EditFailedException When Releasing Configuration From WebLogic Console

After you upgrade Oracle Identity Manager to 12c (12.2.1.3.0), when you click Release Configuration on Oracle WebLogic Console, the following error is seen:

weblogic.management.provider.EditFailedException: Error loading jdbc/OIMMDS-jdbc.xml
This error does not have any functional impact on the WebLogic configuration. To resolve this, open the following DataSource configurations, make any changes, save, and activate the changes:
  • ApplicationDB

  • mds-oim

  • OIMJMSStoreDS

  • OIMOperationsDB

  • soaOIMLookupDB

11.12 OIM Application Deployment Fails Intermittently

After you upgrade Oracle Identity Manager to 12c (12.2.1.3.0), the oim application deployment may fail with the following error:

<Error> <Deployer> <BEA-149231> <Unable to  set the activation state to true for the application "oim".  
weblogic.application.ModuleException: java.lang.NoClassDefFoundError: Could  
not initialize class oracle.iam.platform.utils.cache.Cache 

To resolve this, restart the Oracle Identity Manager Server.

11.13 soa-infra Application is in ‘Prepared’ State Post Upgrade

After you upgrade Oracle Identity Manager (OIM) and Oracle Access Management (OAM) integrated environment that was set up using Life Cycle Management (LCM) tool, the soa-infra application continues to be in Prepared mode, instead of showing active mode.

To resolve this issue, do the following:
  1. Stop all of the managed servers in the private domain. See Stopping Servers and Processes.
  2. Take a back up and delete the contents of the private domain.
  3. Pack the shared domain and unpack it on the private domain.
  4. Start the managed servers in private domain. See Starting the Servers.
Verify that the soa-infra application comes up in active state.

11.14 Oracle Identity Manager Server Throws OutOfMemoryError

When you start the servers post upgrade, OutOfMemoryError is thrown.

The following error is seen in the OIM server logs for this issue:

[oim_server1] [NOTIFICATION] [] 
[oracle.iam.oimdataproviders.impl] [tid: [ACTIVE].ExecuteThread: '9' for 
queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 
5679ce10-f0df-457f-88f1-6bc04e10aa13-000013b1,0] [APP: oim-runtime] 
[partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: 
0000Lg0PPYTBd5I_Ipt1if1OpGGi00000U] RM_DEBUG_PERF - 2017-03-24 06:09:51.087 - 
search criteria = arg1 = (usr_key) EQUAL arg2 = (1)[[ 
 query = Select usr.usr_key, usr.usr_status  from usr where usr.usr_key = ? 
 time = 1 
]] 
[2017-03-24T06:09:52.286-07:00] [oim_server1] [NOTIFICATION] [] 
[oracle.iam.oimdataproviders.impl] [tid: [ACTIVE].ExecuteThread: '9' for 
queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 
5679ce10-f0df-457f-88f1-6bc04e10aa13-000013b1,0] [APP: oim-runtime] 
[partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: 
0000Lg0PPYTBd5I_Ipt1if1OpGGi00000U] 
oracle.iam.oimdataproviders.impl.OIMUserDataProvider 
[2017-03-24T06:11:52.171-07:00] [oim_server1] [ERROR] [ADFC-50018] 
[oracle.adfinternal.controller.application.AdfcExceptionHandler] [tid: 
[ACTIVE].ExecuteThread: '27' for queue: 'weblogic.kernel.Default 
(self-tuning)'] [userId: xelsysadm] [ecid: 
5679ce10-f0df-457f-88f1-6bc04e10aa13-000013e0,0] [APP: 
oracle.iam.console.identity.self-service.ear] [partition-name: DOMAIN] 
[tenant-name: GLOBAL] [DSID: 0000Lg0RtM9Bd5I_Ipt1if1OpGGi00000V] ADFc: No 
exception handler was found for an application exception.[[ 
java.lang.OutOfMemoryError: GC overhead limit exceeded ]

To resolve this issue, do the following (on Linux):

  1. Ensure that you set the following parameters in the /etc/security/limits.conf file, to the specified values:
    FUSION_USER_ACCOUNT soft nofile 32767
    FUSION_USER_ACCOUNT hard nofile 327679
    
  2. Ensure that you set UsePAM to Yes in the /etc/ssh/sshd_config file.
  3. Restart sshd.
  4. Log out (or reboot) and log in to the system again.
Before you start the Oracle Identity Manager 12c Server, run the following command to increase the limit of open files, so that you do not hit into memory issues:

limit maxproc 16384

11.15 SOA Fails to Join Coherence Cluster During the First Start After Upgrade

After you upgrade Oracle Identity Manager (OIM) and Oracle Access Management (OAM) integrated environment, when you start the Oracle SOA Suite Server for the first time, the coherence cluster fails to start with the following error:

<Error> <com.oracle.coherence> <BEA-000000>  <2017-08-03 15:49:14.010/123.585 Oracle Coherence GE 12.2.1.3.0 
<Error>  (thread=Cluster, member=n/a): This member could not join the cluster because  of a mismatch 
between Coherence license types. This member was attempting to  run in dev mode. 
Rejected by Member(Id=1, Timestamp=2017-08-03 15:36:20.874,  Address=10.241.57.43:57023, MachineId=8125,  
Location=process:19490,member:oam_policy_mgr1, Role=WeblogicServer).>  
<Aug 3, 2017 3:49:14,017 PM UTC> <Error> <com.oracle.coherence> <BEA-000000>  
<2017-08-03 15:49:14.017/123.592 Oracle Coherence GE 12.2.1.3.0 <Error>  (thread=[ACTIVE] ExecuteThread: 
'10' for queue: 'weblogic.kernel.Default  (self-tuning)', member=n/a): Error while starting cluster:  
java.lang.RuntimeException: Failed to start Service "Cluster"  (ServiceState=SERVICE_STOPPED, STATE_JOINING)        
at  com.tangosol.coherence.component.util.daemon.queueProcessor.Service.start(Serv  ice.CDB:38) 

This occurs if both the OIM and OAM WebLogic domains have the same default coherence cluster port. To resolve this issue, change the cluster port for either OAM or OIM by doing the following, pre-upgrade:

  1. Log in to the WebLogic Administration console using following URL:
    http://weblogic_admin_host:weblogic_admin_port/console
  2. Click Environments on the left navigation pane.
  3. Click Coherence Clusters, and then click defaultCoherenceCluster.
  4. Change the port from 7574 to 7575 for either OIM or OAM .

11.16 LDAP User Create and Update Reconciliation Job Fails

LDAP User Create and Update Reconciliation job fails to run with the following exception:

java.lang.Exception: Full resync required. Reason: The provided cookie is older than the start of historical 
in the server for the replicated domain : dc=us,dc=oracle,dc=com

To resolve this issue, you must update the parameter Last Change Number of the job. to do this, complete the following steps:

  1. Get the value from Oracle Unified Directory using the following command:
    ./ldapsearch -h <OUDHOST>-p 1389 -D "cn=oudadmin" -w Fusionapps1 --control "1.3.6.1.4.1.26027.1.5.4:false:;" -b "cn=changelog" "(objectclass=*)" "*" +
  2. Search for the following line in the output of the above command:
    changeLogCookie: dc=us,dc=oracle,dc=com:0000015dcefd65a3000100000102;
  3. Fill in dc=us,dc=oracle,dc=com:0000015dcefd65a3000100000102; in to the Last Change Number parameter of the job.

11.17 BI Managed Server is Seen on WebLogic Console After Upgrade

If your 11g Release 2 (11.1.2.3.0) domain had a custom name for BI Managed Server, that is, the name other than bi_server1, then this Managed Server will not be deleted during the upgrade.

Post upgrade, the BI managed server lying in Oracle Identity Governance domain is of no use. You can delete this BI server manually by doing the following:

  1. Log in to the WebLogic Administration Console using the following URL:
    http://weblogic_admin_host:weblogic_admin_port/console
  2. Click Environments on the left navigation pane.
  3. Click Servers.
  4. Select the check box against BI Managed Server, and click Delete.