3 Oracle Access Management

Known issues and workarounds for Oracle Access Management include general issues and configuration issues.

Note:

See What's New in Oracle Access Management for information about new features in this release of Oracle Access Management.

3.1 Access Management Known Issues and Workarounds

This topic describes known issues and workaround for Oracle Access Management. It includes the following topics:

3.1.1 Takes time to propagate a policy or any metadata change

Issue

Set the password policy option to "Disallow previous passwords" and create a new password using the previously used password. The password can still be created.

Workaround

When you perform any change to the policy, it takes time to propagate across the OAM cluster. You should wait for a minimum of 60 seconds or more if the network is slow for the changes to take effect. It is recommended that the changes be made when the OAM servers are offline

3.1.2 User name field in SME UI is case sensitive

Issue

OAM console based session management search is case sensitive.

3.1.3 Unused References in OAM console

Issue

Following are the references in OAM console that are unused:

  • Access Portal

  • OAuth Service

  • Allow OAuth Token

  • Token Issuance Policies

  • Access Portal Service Settings

3.1.4 Deprecated Java Policy

For Upgrade Customers, refer java policy. See TLS1.2 Support in Oracle Access Management

3.1.5 Test-to-Production Not Supported in OAM

Issue

OAM does not support Test-to-Production (T2P) tools in this release.

Workaround

To create one or more cloned data centers follow the steps in the procedure, Adding an Additional Clone Data Center to the Existing Multi-Data Center Setup.

3.1.6 chghost Tool does not Work with OAM

Issue

OAM does not support chghost tool in this release.

Workaround

The host:port for primary and secondary servers can be configured using the UI parameters on OAM console.

See Configuring and Managing Registered OAM Agents Using the Console

The webgate profiles and policies on OAM server use the import/export partners or Bulk updates for Webgates.

For webgates, you can do either of the following when host and port information is changed:

Note:

ObAccessClient.xml can be found at webgate_Instance _Dir (${Oracle_Home}/user_projects/domains/$(DOMAIN_HOME)/config/fmwconfig/components/OHS/ohs1/webgate/config/ObAccessClient.xml)

3.1.7 Exception occurs while using OAM Access Tester Tool

Issue

In OAM Access Tester tool, after entering sever connection details and clicking on Connect button, the connection will be established but with the following exception.

In Access Tester Console:

SEVERE: Server reported that incorrect NAP version is being used, while client attempted to communicate using NAP version 5. See server log for more information.

Stack trace in Server Logs:

<Error> <oracle.oam.proxy.oam> <OAM-04020> <Exception encountered while processing the request message for agent {0} at IP {1} Request message {2} :oracle.security.am.proxy.oam.requesthandler.OAMProxyException: Partner: TestWebgate is registered with version 11.0.0.0. Runtime version of agent is different: 11.* .Agent will not be able to communicate with the server   
at oracle.security.am.proxy.oam.requesthandler.ObAAAServiceServer.getClientAuthentInfo(ObAAAServiceServer.java:159)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.ObAuthenReqChallengeHandler(RequestHandler.java:566)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleRequest(RequestHandler.java:229)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleMessage(RequestHandler.java:180)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean.getResponseMessage(ControllerMessageBean.java:94)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.MessageDrivenLocalObject.invoke(MessageDrivenLocalObject.java:127)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.getResponseMessage(Unknown Source)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.getResponse(ObClientToProxyHandler.java:316)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.messageReceived(ObClientToProxyHandler.java:270)
at org.apache.mina.common.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:743)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.IoFilterEvent.fire(IoFilterEvent.java:54)
at org.apache.mina.common.IoEvent.run(IoEvent.java:62)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:85)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:209)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)
>

Note:

The above exception will be seen while using Access Tester. Access Tester will try to connect with NAP version 5, then with NAP version 4 and followed by NAP version 3 if the former does not work. But, there is no impact on the functionality.

3.1.8 Unsupported Features targeted for bundle patches on top of 12.2.1.3.0

The following features are currently not supported in 12.2.1.3.0. However, support for these features are targeted for bundle patches on top of 12.2.1.3.0:

  • Mobile and Social Services

  • Mobile OAuth Service

  • Security Token Service

  • Access Portal Service

3.2 Access Management Configuration Issues and Workarounds

This topic describes Configuration issues and workaround for Oracle Access Management. It includes the following topic:

3.2.1 Audit Integration with BI Publisher

Issue

BI Publisher is not supported in 12cPS3. Due to which, post upgrade some reports might not work.

BI Publisher will be available post PS3.

3.3 Access Management Console Issues

This topic describes Console issues and workaround for Oracle Access Management (Access Manager). It includes the following topic:

3.3.1 OOB OAM console logout does not work

Issue

Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, OAM console can be protected using a webgate agent.

Workaround

Close OAM console instead of logout.

Server side session will not be created when OAM console accesses OOB. As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.

3.4 Features Not Supported in Access Manager 12.2.1.3.0

The following table lists the features that will be unsupported from OAM 12.2.1.3.0 and provides the migration path:

Unsupported Features in OAM 12.2.1.3.0 Description Migration Path

10g OSSO server co-existence

OAM 12c server does not support co-existence with the OSSO servers

Upgrade from OSSO to OAM 11g R2PS3 and then upgrade to OAM 12c.

OpenSSO server co-existence

OAM 12c server does not support co-existence with the OpenSSO server.

Upgrade to OAM 11gR2PS3 and then upgrade to OAM 12c.

OAM 10g server co-existence

OAM 12c server does not support co-existence with OAM 10g server.

Migrate to OAM 12c server.

OpenSSO agents

OpenSSO agents are not supported in the OAM 12c release.

Migrate to supported 12c agents.

OAM 11g and 12c WebGates and Accessgates are supported in OAM 12.2.1.3.0

mod_osso

OAM 12c does not support mod OSSO (OSSO Agent Proxy) agents.

Migrate to 12c WebGate agents and upgrade to OAM 12c.

OAM10g WebGate

OAM 12c server does not support OAM 10 WebGates.

Migrate to OAM11g R2PS3 or OAM 12c WebGates

Upgrade the server to OAM 12c.

IDMConfigTool

OAM 12c does not support the following commands and attributes:

  • prepareIDStore= FUSION

  • prepareIDStore= OAAM

  • configPolicyStore

  • configOVD

  • disableOVDAccessConfig

  • postProvConfig

  • validate: All options are not supported

  • ovdConfigUpgrade

  • upgradeOIMTo11gWebgate

  • POLICYSTORE_SHARES_IDSTORE

  • SPLIT_DOMAIN

 

IAMSuiteAgent

OAM 12c does not support IAMSuiteAgent.

Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, this is done using default OOB Login page.

As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.

 

Oracle Mobile Security Suite (OMSS)

OAM 12c does not support OMSS.