3 Oracle Access Management
Known issues and workarounds for Oracle Access Management include general issues and configuration issues.
Topics
Note:
See What's New in Oracle Access Management for information about new features in this release of Oracle Access Management.
Bundle Patch for Oracle Access Management Server and Webgate 12 c (12.2.1.3.5) release is available. For more information see,
3.1 Access Management Known Issues and Workarounds
This topic describes known issues and workaround for Oracle Access Management. It includes the following topics:
3.1.1 Takes time to propagate a policy or any metadata change
Issue
Set the password policy option to "Disallow previous passwords" and create a new password using the previously used password. The password can still be created.
Workaround
When you perform any change to the policy, it takes time to propagate across the OAM cluster. You should wait for a minimum of 60 seconds or more if the network is slow for the changes to take effect. It is recommended that the changes be made when the OAM servers are offline
3.1.2 User name field in SME UI is case sensitive
Issue
OAM console based session management search is case sensitive.
3.1.3 Unused References in OAM console
Issue
Following are the references in OAM console that are unused:
-
Access Portal
-
OAuth Service
-
Allow OAuth Token
-
Token Issuance Policies
-
Access Portal Service Settings
3.1.4 Deprecated Java Policy
For Upgrade Customers, refer java policy. See TLS1.2 Support in Oracle Access Management
3.1.5 Test-to-Production Not Supported in OAM
Issue
OAM does not support Test-to-Production (T2P) tools in this release.
Workaround
To create one or more cloned data centers follow the steps in the procedure, Adding an Additional Clone Data Center to the Existing Multi-Data Center Setup.
3.1.6 chghost Tool does not Work with OAM
Issue
OAM does not support chghost tool in this release.
Workaround
The host:port for primary and secondary servers can be configured using the UI parameters on OAM console.
See Configuring and Managing Registered OAM Agents Using the Console
The webgate profiles and policies on OAM server use the import/export partners or Bulk updates for Webgates.
For webgates, you can do either of the following when host and port information is changed:
-
Manually edit the host and port information of new OAM server by updating the ObAccessClient.xml at target host.
-
You can register the Webgate agent with the new Oracle Access Manager by using the Oracle Access Manager Administration Console and replace the old artifacts.
See Registering an OAM Agent using the console
Alternatively, you can use the RREG command-line tool to register a new Webgate agent.
See Locating and Preparing the RREG Tool and Remote Registration Tools, Modes, and Process
Note:
ObAccessClient.xml can be found at webgate_Instance _Dir (${Oracle_Home}/user_projects/domains/$(DOMAIN_HOME)/config/fmwconfig/components/OHS/ohs1/webgate/config/ObAccessClient.xml)
3.1.7 Exception occurs while using OAM Access Tester Tool
Issue
In OAM Access Tester tool, after entering sever connection details and clicking on Connect button, the connection will be established but with the following exception.
In Access Tester Console:
SEVERE: Server reported that incorrect NAP version is being used, while client attempted to communicate using NAP version 5. See server log for more information.
Stack trace in Server Logs:
<Error> <oracle.oam.proxy.oam> <OAM-04020> <Exception encountered while processing the request message for agent {0} at IP {1} Request message {2} :oracle.security.am.proxy.oam.requesthandler.OAMProxyException: Partner: TestWebgate is registered with version 11.0.0.0. Runtime version of agent is different: 11.* .Agent will not be able to communicate with the server
at oracle.security.am.proxy.oam.requesthandler.ObAAAServiceServer.getClientAuthentInfo(ObAAAServiceServer.java:159)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.ObAuthenReqChallengeHandler(RequestHandler.java:566)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleRequest(RequestHandler.java:229)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleMessage(RequestHandler.java:180)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean.getResponseMessage(ControllerMessageBean.java:94)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.MessageDrivenLocalObject.invoke(MessageDrivenLocalObject.java:127)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.getResponseMessage(Unknown Source)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.getResponse(ObClientToProxyHandler.java:316)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.messageReceived(ObClientToProxyHandler.java:270)
at org.apache.mina.common.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:743)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.IoFilterEvent.fire(IoFilterEvent.java:54)
at org.apache.mina.common.IoEvent.run(IoEvent.java:62)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:85)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:209)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)
>
Note:
The above exception will be seen while using Access Tester. Access Tester will try to connect with NAP version 5, then with NAP version 4 and followed by NAP version 3 if the former does not work. But, there is no impact on the functionality.
3.2 Access Management Configuration Issues and Workarounds
This topic describes Configuration issues and workaround for Oracle Access Management. It includes the following topic:
3.3 Access Management Console Issues
This topic describes Console issues and workaround for Oracle Access Management (Access Manager). It includes the following topic:
3.3.1 OOB OAM console logout does not work
Issue
Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, OAM console can be protected using a webgate agent.
Workaround
Close OAM console instead of logout.
Server side session will not be created when OAM console accesses OOB. As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.
3.4 Features Not Supported in Access Manager 12.2.1.3.0
The following table lists the features that will be unsupported from OAM 12.2.1.3.0 and provides the migration path:
Unsupported Features in OAM 12.2.1.3.0 | Description | Migration Path |
---|---|---|
10g OSSO server co-existence |
OAM 12c server does not support co-existence with the OSSO servers |
Upgrade from OSSO to OAM 11g R2PS3 and then upgrade to OAM 12c. |
OpenSSO server co-existence |
OAM 12c server does not support co-existence with the OpenSSO server. |
Upgrade to OAM 11gR2PS3 and then upgrade to OAM 12c. |
OAM 10g server co-existence |
OAM 12c server does not support co-existence with OAM 10g server. |
Migrate to OAM 12c server. |
OpenSSO agents |
OpenSSO agents are not supported in the OAM 12c release. |
Migrate to supported 12c agents. OAM 11g and 12c WebGates and Accessgates are supported in OAM 12.2.1.3.0 |
mod_osso |
OAM 12c does not support mod OSSO (OSSO Agent Proxy) agents. |
Migrate to 12c WebGate agents and upgrade to OAM 12c. |
OAM10g WebGate |
OAM 12c server does not support OAM 10 WebGates. |
Migrate to OAM11g R2PS3 or OAM 12c WebGates Upgrade the server to OAM 12c. |
IDMConfigTool |
OAM 12c does not support the following commands and attributes:
|
|
IAMSuiteAgent |
OAM 12c does not support IAMSuiteAgent. Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, this is done using default OOB Login page. As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent. |
|
Oracle Mobile Security Suite (OMSS) |
OAM 12c does not support OMSS. |
In 12c, for mobile and social login usecases, we recommend customers to use standard OAuth. We are deprecating proprietary way of achieving these use cases so that the customers can move to a more standards-based approach that would allow better interoperability and facilitate an easier transition to Oracle Identity Cloud Service (IDCS) in the future. The following services are deprecated in 12c:
-
Mobile and Social Services
-
Mobile OAuth Service
-
Security Token Service
-
Access Portal Service