Oracle Access Management

3 Oracle Access Management

Known issues and workarounds for Oracle Access Management include general issues and configuration issues.

Topics

Note:

See What's New in Oracle Access Management for information about new features in this release of Oracle Access Management.

Bundle Patch for Oracle Access Management Server and Webgate 12 c (12.2.1.3.5) release is available. For more information see,

3.1 Access Management Known Issues and Workarounds

This topic describes known issues and workaround for Oracle Access Management. It includes the following topics:

3.1.1 Takes time to propagate a policy or any metadata change

Issue

Set the password policy option to "Disallow previous passwords" and create a new password using the previously used password. The password can still be created.

Workaround

When you perform any change to the policy, it takes time to propagate across the OAM cluster. You should wait for a minimum of 60 seconds or more if the network is slow for the changes to take effect. It is recommended that the changes be made when the OAM servers are offline

3.1.2 User name field in SME UI is case sensitive

Issue

OAM console based session management search is case sensitive.

3.1.3 Unused References in OAM console

Issue

Following are the references in OAM console that are unused:

Access Portal
OAuth Service
Allow OAuth Token
Token Issuance Policies
Access Portal Service Settings

3.1.4 Deprecated Java Policy

For Upgrade Customers, refer java policy. See TLS1.2 Support in Oracle Access Management

3.1.5 Test-to-Production Not Supported in OAM

Issue

OAM does not support Test-to-Production (T2P) tools in this release.

Workaround

To create one or more cloned data centers follow the steps in the procedure, Adding an Additional Clone Data Center to the Existing Multi-Data Center Setup.

3.1.6 chghost Tool does not Work with OAM

Issue

OAM does not support chghost tool in this release.

Workaround

The host:port for primary and secondary servers can be configured using the UI parameters on OAM console.

See Configuring and Managing Registered OAM Agents Using the Console

The webgate profiles and policies on OAM server use the import/export partners or Bulk updates for Webgates.

See

For webgates, you can do either of the following when host and port information is changed:

Manually edit the host and port information of new OAM server by updating the ObAccessClient.xml at target host.
You can register the Webgate agent with the new Oracle Access Manager by using the Oracle Access Manager Administration Console and replace the old artifacts.

See Registering an OAM Agent using the console

Alternatively, you can use the RREG command-line tool to register a new Webgate agent.

See Locating and Preparing the RREG Tool and Remote Registration Tools, Modes, and Process

Note:

ObAccessClient.xml can be found at webgate_Instance _Dir (${Oracle_Home}/user_projects/domains/$(DOMAIN_HOME)/config/fmwconfig/components/OHS/ohs1/webgate/config/ObAccessClient.xml)

3.1.7 Exception occurs while using OAM Access Tester Tool

Issue

In OAM Access Tester tool, after entering sever connection details and clicking on Connect button, the connection will be established but with the following exception.

In Access Tester Console:

SEVERE: Server reported that incorrect NAP version is being used, while client attempted to communicate using NAP version 5. See server log for more information.

Stack trace in Server Logs:

<Error> <oracle.oam.proxy.oam> <OAM-04020> <Exception encountered while processing the request message for agent {0} at IP {1} Request message {2} :oracle.security.am.proxy.oam.requesthandler.OAMProxyException: Partner: TestWebgate is registered with version 11.0.0.0. Runtime version of agent is different: 11.* .Agent will not be able to communicate with the server   
at oracle.security.am.proxy.oam.requesthandler.ObAAAServiceServer.getClientAuthentInfo(ObAAAServiceServer.java:159)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.ObAuthenReqChallengeHandler(RequestHandler.java:566)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleRequest(RequestHandler.java:229)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleMessage(RequestHandler.java:180)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean.getResponseMessage(ControllerMessageBean.java:94)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.MessageDrivenLocalObject.invoke(MessageDrivenLocalObject.java:127)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.getResponseMessage(Unknown Source)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.getResponse(ObClientToProxyHandler.java:316)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.messageReceived(ObClientToProxyHandler.java:270)
at org.apache.mina.common.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:743)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.IoFilterEvent.fire(IoFilterEvent.java:54)
at org.apache.mina.common.IoEvent.run(IoEvent.java:62)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:85)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:209)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)
>

Note:

The above exception will be seen while using Access Tester. Access Tester will try to connect with NAP version 5, then with NAP version 4 and followed by NAP version 3 if the former does not work. But, there is no impact on the functionality.

3.2 Access Management Configuration Issues and Workarounds

This topic describes Configuration issues and workaround for Oracle Access Management. It includes the following topic:

Audit Integration with BI Publisher

3.2.1 Audit Integration with BI Publisher

Issue

BI Publisher is not supported in 12cPS3. Due to which, post upgrade some reports might not work.

BI Publisher will be available post PS3.

3.3 Access Management Console Issues

This topic describes Console issues and workaround for Oracle Access Management (Access Manager). It includes the following topic:

OOB OAM console logout does not work

3.3.1 OOB OAM console logout does not work

Issue

Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, OAM console can be protected using a webgate agent.

Workaround

Close OAM console instead of logout.

Server side session will not be created when OAM console accesses OOB. As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.

3.4 Features Not Supported in Access Manager 12.2.1.3.0

The following table lists the features that will be unsupported from OAM 12.2.1.3.0 and provides the migration path:

Unsupported Features in OAM 12.2.1.3.0	Description	Migration Path
10g OSSO server co-existence	OAM 12c server does not support co-existence with the OSSO servers	Upgrade from OSSO to OAM 11g R2PS3 and then upgrade to OAM 12c.
OpenSSO server co-existence	OAM 12c server does not support co-existence with the OpenSSO server.	Upgrade to OAM 11gR2PS3 and then upgrade to OAM 12c.
OAM 10g server co-existence	OAM 12c server does not support co-existence with OAM 10g server.	Migrate to OAM 12c server.
OpenSSO agents	OpenSSO agents are not supported in the OAM 12c release.	Migrate to supported 12c agents. OAM 11g and 12c WebGates and Accessgates are supported in OAM 12.2.1.3.0
mod_osso	OAM 12c does not support mod OSSO (OSSO Agent Proxy) agents.	Migrate to 12c WebGate agents and upgrade to OAM 12c.
OAM10g WebGate	OAM 12c server does not support OAM 10 WebGates.	Migrate to OAM11g R2PS3 or OAM 12c WebGates Upgrade the server to OAM 12c.
IDMConfigTool	OAM 12c does not support the following commands and attributes: `prepareIDStore= FUSION` `prepareIDStore= OAAM` `configPolicyStore` `configOVD` `disableOVDAccessConfig` `postProvConfig` `validate: All options are not supported` `ovdConfigUpgrade` `upgradeOIMTo11gWebgate` `POLICYSTORE_SHARES_IDSTORE` `SPLIT_DOMAIN`
IAMSuiteAgent	OAM 12c does not support IAMSuiteAgent. Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, this is done using default OOB Login page. As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.
Oracle Mobile Security Suite (OMSS)	OAM 12c does not support OMSS.

In 12c, for mobile and social login usecases, we recommend customers to use standard OAuth. We are deprecating proprietary way of achieving these use cases so that the customers can move to a more standards-based approach that would allow better interoperability and facilitate an easier transition to Oracle Identity Cloud Service (IDCS) in the future. The following services are deprecated in 12c:

Mobile and Social Services
Mobile OAuth Service
Security Token Service
Access Portal Service