Oracle® Fusion Middleware Release Notes 11g Release 1 (11.1.1) for Linux x86-64 Part Number E14770-33 |
|
|
PDF · Mobi · ePub |
This chapter describes issues associated with Oracle IRM Server and Oracle IRM Desktop, together known as 'Oracle IRM'. Unless otherwise stated, the version of Oracle IRM to which these release notes apply is 11.1.1.5.0 (incorporating version 11.1.50 of Oracle IRM Desktop).
This chapter includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
Section 37.1.1, "Some Functionality is Disabled or Restricted in Adobe Reader X and Adobe Reader 9"
Section 37.1.2, "Limitations of Support for Microsoft SharePoint in this Release"
Section 37.1.3, "Lotus Notes Email Message May be Lost if Context Selection Dialog is Canceled"
Section 37.1.5, "No Prompt to Use Local Drafts Folder for Sealed Files in SharePoint 2010"
Section 37.1.8, "Support for Microsoft Windows 2000 Has Been Removed"
Section 37.1.9, "Unreadable Error Message Text When Client and Server Locales are Different"
Section 37.1.10, "Changes Lost if Tab Changed Before Applying the Apply Button"
Section 37.1.12, "Microsoft Word May Hang if a Sealed Email is Open During Manual Rights Check-In"
Section 37.1.13, "Sealed Emails in Lotus Notes will Sometimes Show a Temporary File Name"
Section 37.1.14, "No Support for Sealing Files of 2GB or Larger in Size in Oracle IRM Desktop"
Section 37.1.17, "Log Out Link Inoperative When Using OAM 11g for SSO"
Section 37.1.18, "Double-byte Languages Cannot be Used for Entering Data with Legacy Servers"
Section 37.1.19, "Use of SPACE Key Instead of Return Key in Oracle IRM Server"
Section 37.1.20, "Calendar Controls in Oracle IRM Server Not Accessible Via the Keyboard"
To protect the security of sealed PDF documents, some Adobe Reader functionality is disabled or restricted, as described below.
Protected Mode in Adobe Reader X
Sealed PDF documents cannot be opened if Adobe Reader Protected Mode is active. If Protected Mode has not been disabled in advance, Oracle IRM will offer to disable Protected Mode when you attempt to open a sealed PDF document. You can choose not to accept, in which case Protected Mode will remain active and the sealed PDF document will not be opened.
Use of Toolbar and Other Controls in Adobe Reader X
When using a sealed PDF document in the traditional view, you cannot use the toolbar that is shown within Internet Explorer across the top of the document. Instead, you must switch to the Read-Mode view (using Ctrl+H
) and use the buttons on the floating toolbar that appears in that view. You can use the buttons on the Read-Mode floating toolbar to save and print the sealed PDF document (if you have sufficient rights), and to page up and down, or to zoom in and out. You can also, subject to your rights, use the following keyboard shortcuts: Print (Ctrl+P
), Save (Ctrl+Shift+S
), and Copy (Ctrl+C
).
Use of Toolbar and Other Controls in Adobe Reader 9
The following Adobe Reader 9 toolbar buttons do not function:
Collaborate
Create Adobe PDF using Acrobat.com
If you click these buttons, you will see a message that the associated function is unavailable.
All other Adobe Reader 9 controls are available if you have sufficient rights. If you do not have sufficient rights, you will see a message when you attempt to use the control.
A further restriction applies to controls added to the Adobe Reader 9 interface by users when they have a sealed PDF document open: the added control will be inactive until Adobe Reader is closed and reopened.
Read-only support for Windows 2000/XP
Sealed documents will always open read-only when opened from Microsoft SharePoint using Microsoft Office 2000 or Microsoft Office XP. From Microsoft Office 2003 onwards, full checkout, edit, and save capabilities are supported. The following is the behavior when using a Microsoft SharePoint web site to browse and open sealed files:
Microsoft Office 2000 "open" behavior. Clicking any file in Microsoft SharePoint will result in the option to open the file or save it locally. Sealed files will always open read-only unless saved locally.
Microsoft Office 2000 "edit" behavior. The Edit in Microsoft Word [PowerPoint/Excel] option is not supported for any file (sealed or unsealed).
Microsoft Office XP "open" behavior. In Microsoft SharePoint 2007, when clicking a sealed file, a download dialog will be presented offering the option to open the file or save it locally. Sealed files will always open read-only unless saved locally. In Microsoft SharePoint 2010, when clicking a sealed file, a download dialog will be presented offering only the option to save the file locally.
Microsoft Office XP "edit" behavior. In Microsoft SharePoint 2007 and 2010, when choosing Edit in Microsoft Word [PowerPoint/Excel] from the drop- down list for the file, nothing will happen for the following sealed file types: .sppt
, .spot
, .sxlt
, .sdot
. All other sealed file formats will open read-only. In Microsoft SharePoint 2010, the Edit Document option is missing for sealed files when using the Datasheet view.
No support for merging
Files opened from Microsoft SharePoint that are locked for editing by another user will not offer the chance to edit a local copy and merge changes later. Oracle IRM Desktop forces the document to open read-only. In Microsoft Office 2010, the Office bar and Backstage view offer an Edit button to switch to edit mode: this is prevented for sealed documents. If you wish to edit the file, you will need to open it for editing from the Web browser: if it is not locked for editing elsewhere, it will open editable.
Microsoft Word 2010 files opened from SharePoint 2010 are read-only
The following Microsoft Word 2010 sealed file types cannot be edited if they are opened from SharePoint 2010: .sdocx
, .sdocm
, .sdotx
, .sdotm
. Other sealed Microsoft Word formats (for example, .sdoc
) will open as normal. The workaround is to save a copy of the file locally, edit that file, then upload it to SharePoint.
The Check Out button is sometimes missing when opening a sealed Excel file in Protected Mode
If the Microsoft SharePoint Web site is running under Protected Mode in Internet Explorer on Microsoft Vista or Microsoft Windows 7, the Check Out button is not shown. To work around this issue, check out the file first from the Web browser, or open the file directly via Windows Explorer, the Open dialog (available by choosing Open on the File menu), or the most-recently-used (MRU) list.
Using Microsoft Outlook to work with SharePoint offline
Microsoft Office 2007 onwards supports the ability to open a SharePoint folder in Outlook. The SharePoint files can then be worked on while offline, and Outlook will handle the synchronization of any changes. There are known issues with this capability when working with sealed files because Outlook opens them differently to native Microsoft Office files. You may get the message "Outlook cannot track the program used to open this document. Any changes you make to the document will not be saved to the original document" when opening sealed files from this view, and changes made to the sealed file will not automatically upload to the server. A manual send/receive is required.
In Microsoft Office 2010 the sealed files are opened in a mode which is similar to email attachments and require the following protected view settings:
Uncheck Enable Protected View for Outlook Attachments. This will allow opening of the server file from within the Outlook offline view.
Uncheck Enable Protected View for file originating from the Internet. This will allow opening of files when they are being edited offline.
Using Windows Explorer to open sealed files from SharePoint
Microsoft Office 2003 on Windows Vista may have problems opening sealed files from the Windows Explorer view of SharePoint. Microsoft Office may display a message similar to the following:
Could not open http://<sp_server>/DavWWWRoot/Docs/MyFolder/file.sdoc
A workaround for this is to access the folder using UNC. For example:
\\<sp_server>\Docs\MyFolder
When using the base release of Lotus Notes version 8.5, if the context selection dialog is canceled when sending a sealed email, an error occurs and the message is lost. This does not occur in earlier versions of Lotus Notes. This issue is resolved in Lotus Notes version 8.5.2.
The use of Save As is blocked in Microsoft Office 2000/XP for sealed files if the destination is a WebDAV folder (for example, in UCM). You'll need to save the sealed file to the local file system and upload it manually to the WebDAV folder. However, if you have the 11g UCM Desktop Integration Suite (DIS) installed, you can save sealed files as a new content item in UCM using the DIS menu in Microsoft Office.
The use of Save as Sealed, or of right-click Seal To (from Windows Explorer), will work when the destination is a WebDav folder.
When you check out unsealed files in SharePoint 2010, you are warned about the checkout and given the choice to use a local drafts folder. When you check out sealed files in SharePoint 2010, the file is checked out without giving the option to use a local drafts folder.
This issue refers to Oracle IRM Fields set up using custom properties, as described in the Oracle IRM Desktop help, in the topic Adding Oracle IRM Fields in Microsoft Excel.
The problem occurs when using a combination of Microsoft Windows Vista, Microsoft Internet Explorer 7 or 8, Microsoft Office 2007, and Microsoft SharePoint 2007.
If you open a sealed Microsoft Excel spreadsheet that contains custom properties, when you go to edit the spreadsheet, the custom properties are initially shown with the placeholder #NAME?
rather than with their correct values. The custom properties should update with their correct values when you start to edit the spreadsheet.
The behavior of automatic save and automatic recovery in Microsoft Office applications is as detailed below.
General
On automatic recovery, users are prompted to save the file to disk immediately in order to persist the recovered changes to a sealed file on disk. This is true for all versions and applications which support auto-recovery.
Word
All supported versions: automatic save and recovery of sealed files should behave as normal, with the exception that automatic saving is blocked if the filename contains a dot that is not part of the extension (for example, my.filename.sdoc
), or if the filename contains any double byte character.
In Word 2010, automatically saved files recovered from the Recovery pane will not automatically prompt for a Save As: users will need to perform the Save As manually.
PowerPoint
PowerPoint XP, 2003: automatic save and recovery of sealed files should behave as normal.
PowerPoint 2007: the automatic saving of sealed files does not take place.
PowerPoint 2000: automatic save is disabled if sealed files are open, meaning that, if the system crashes, any unsaved changes to any file (sealed or original) will be lost.
PowerPoint 2010: Automatically saved files do not appear in the Recovery pane, but Microsoft Office 2010 creates auto-saved files that can be opened via the Backstage view, enabling changes to be recovered.
Excel
All supported versions: automatically saved Excel files (.xar
) will be sealed, but the recovery of these files does not happen automatically. To recover "lost" changes, users need to locate the .xar
file and rename it to .sxls
.
Excel 2010: Automatically saved files do not appear in the Recovery pane, but Microsoft Office 2010 creates auto-saved files that can be opened via the Backstage view, enabling changes to be recovered.
Microsoft Office draft documents
Microsoft Office keeps unsaved copies of files for a short period. These are accessible from the Backstage view. Oracle IRM treats these files as auto-saved files, and opening them users will be prompted to perform a Save As operation. To use the restored file in place of the original file, users must copy the saved version over the original.
Because of these restrictions, it is recommended that you do not rely on automatic save and recovery. Instead, save your work frequently when using these applications.
Oracle IRM no longer supports the Microsoft Windows 2000 operating system.
Error messages are sent to the client (Oracle IRM Desktop) in the language of the server (Oracle IRM Server). Therefore, if the locale of the server is different to the locale of the client, the error code may be rendered in garbage characters. The error code remains readable, and can be provided to support services as necessary.
On the Oracle IRM Server Management Console, if you make changes on a tabbed page that has an Apply button, and then move to another tab without using the Apply button, the changes will be lost. You will not be prompted to save the changes that you made.
The following Microsoft PowerPoint and Microsoft Excel formats are not supported for sealing when using the Office 2007 Compatibility Pack with Office 2003 and earlier: SPOTM, SPOTX, SPPTM, SPPTX, SXLSX, and SXLTX. For these applications, use other file formats that are supported for sealing.
In Oracle IRM Desktop, if you attempt to check in your rights while a sealed email is open in Microsoft Word, Microsoft Word may hang. It is recommended that you do not check in your rights while a sealed email is open.
In Lotus Notes, if a sealed email has a communication thread with multiple messages or replies, the title bar may show a temporary file name instead of the correct subject name. You may also be prompted to save changes when you have not made any. No harm should arise from these anomalies.
Sealing files of size 2GB or larger is not supported in the current release of Oracle IRM Desktop.
When setting up indexed search, if you enter incorrect authentication credentials for a legacy server (for example, a 10g Oracle IRM Server) that has been set up for Windows NT authentication, the login retry dialog will show options for Windows basic authentication. You should not use Windows Authentication credentials to log in to legacy servers set up for Windows NT Authentication.
If users attempt to open a legacy Microsoft Office 2007 document (a document sealed with an older version of Oracle IRM), and Oracle IRM Desktop has not been synchronized with the server against which the document was sealed, the attempt will fail. The sealed document will not be opened, and the user will not be prompted to authenticate against the server to which the document was sealed. A second attempt to open the sealed document should succeed, because the initial attempt should have synchronized Oracle IRM Desktop with the server. Alternatively, the user can synchronize to the server manually (using the Oracle IRM Desktop Options dialog) before opening a legacy sealed document.
When using OAM (Oracle Access Management) 11g for SSO, the Log Out link on the Oracle IRM Server Management Console does not log the user out.
This release of Oracle IRM Desktop is available in many more languages than previous releases, including some double-byte languages. However, for legacy (10g) servers, as previously, data (user names, etc.) must still be entered using the 7-bit ASCII range of characters.
In some dialogs in the Oracle IRM Server Management Console, the Return key does not execute buttons. When this occurs, use the SPACE key instead.
In the Oracle IRM Server Management Console, the calendar controls are not accessible via the keyboard, and do not appear if the console is in Screen Reader mode. To enter a date using the keyboard, the date should be typed in.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 37.2.1, "New JPS Configuration Properties for User and Group Searches"
Section 37.2.3, "Installing the 64-Bit Version of Oracle IRM Desktop"
Section 37.2.4, "Reboot Necessary to Obtain New Online Information Button"
Section 37.2.5, "Deploying Oracle IRM Using Oracle Access Manager Version 10g"
Section 37.2.6, "LDAP Reassociation Fails if User and Group Names are Identical"
Section 37.2.7, "Upgrading Oracle IRM Desktop From Versions Earlier Than 5.5"
Section 37.2.8, "Synchronizing Servers After an Upgrade of Oracle IRM Desktop"
Section 37.2.9, "Reapplying Lost Settings After an Upgrade of Oracle IRM Desktop"
Section 37.2.10, "Changing Oracle IRM Account When Authenticated Using Username and Password"
Section 37.2.11, "Post-Installation Steps Required for Oracle IRM Installation Against Oracle RAC"
The following new JPS configuration properties are supported in PS5. These settings allow the attributes used in the Oracle IRM Server Management Console user and group searches to be defined.
Property: oracle.irm.default.search.user.attributes
Valid values (one or more values are allowed, separated with a comma):
NAME
USER_NAME
FIRST_NAME
LAST_NAME
BUSINESS_EMAIL
Default value = "NAME,USER_NAME,FIRST_NAME,LAST_NAME,BUSINESS_EMAIL"
Property: oracle.irm.default.search.group.attributes
Valid value:
ROLE_NAME
Default value = "ROLE_NAME"
This complements the search filter attributes already supported in jps-config.xml.
Property: oracle.irm.default.search.filter
Valid values (one of the following):
EQUALS
BEGINS
ENDS
CONTAINS
Default value = "CONTAINS"
Example
An example JPS LDAP service instance entry:
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider"> <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/> <property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/> <property name="oracle.irm.default.search.filter" value="BEGINS"/> <property name="oracle.irm.default.search.user.attributes" value="USER_NAME,NAME,BUSINESS_EMAIL"/> <property name="oracle.irm.default.search.group.attributes" value="ROLE_NAME"/> </serviceInstance>
The Oracle IRM Server Management Console has an issue that requires a patch to be applied to the installed or upgraded system. When selecting rights for a context, the Properties, Edit, and Remove buttons are always disabled and cannot be used. Selecting one or more rights will not enable the buttons.
Patch 12369706 fixes this issue. This patch can be downloaded from https://support.oracle.com
To install the patch:
Log onto https://support.oracle.com
Select Patches & Updates.
Enter the patch number 12369706
in the patch search.
Click Search.
Follow the installation instructions provided with the patch.
For this release, you can choose to install a 64-bit version of the Oracle IRM Desktop client tool. There are no specific instructions for this installation, but if you attempt to install the 64-bit version in a 32-bit environment, you will see messages that this is not possible.
After an upgrade from a previous release of Oracle IRM Desktop, the new Online Information button on the IRM tab in the Properties dialog (obtained by right-clicking Properties on a file in Windows Explorer) is missing until the system is rebooted. This does not affect new installations. A workaround is to restart after upgrading from a previous release of Oracle IRM Desktop, even though the installer does not prompt that a reboot is necessary.
Deploying Oracle IRM version 11gR1 in an environment using Oracle Access Manager version 10g requires additional configuration to process logout requests properly. For detailed information, see the section "Configuring Global Logout for Oracle Access Manager 10g and 10g WebGates" in the Oracle Fusion Middleware Application Security Guide.
When reassociating an LDAP identity store, the Oracle IRM process for exporting user and group information has an issue if user and group names are identical. If a user and group have identical names, the export process will lose either the user or the group details during the export step. This is because the user or group name is used as the file name, so one file overwrites the other. A post-reassociation workaround is to check user and group right assignments, and to manually reassign any that are missing.
You can upgrade to this release from Oracle IRM Desktop version 5.5 onwards, by running the installation wizard on the computer that has the older version.
For versions earlier than 5.5, or from any version of SealedMedia Unsealer or Desktop, you can upgrade to this release only by uninstalling the older version and installing this release.
If you are upgrading to this release of Oracle IRM Desktop from a 10g release, you will lose the locally stored rights to use sealed documents (the rights that enable you to continue working when you are offline). When this happens, you will have to obtain new rights by going online and synchronizing with the server. For this reason, do not begin an upgrade unless you have online access to the server.
When upgrading on Windows Vista or Windows 7, you may encounter a file lock and be prompted to retry, ignore, or cancel. You can safely use the ignore option if this happens.
If you are upgrading to this release of Oracle IRM Desktop from a 10g release, you will not be synchronized to any servers (Oracle IRM Server). This will show as a blank list on the Servers tab of the Oracle IRM Desktop Options dialog. Servers are automatically added to the list when you open sealed documents for which you have access rights. The easiest way to repopulate your list of servers is to open documents that have been sealed against servers on which you have rights.
If you are upgrading to this release of Oracle IRM Desktop from a 10g release, your previous settings (as shown on the Oracle IRM Desktop Options dialog) are not applied to the new installation. These include support for email systems, so you should reset these before attempting to work with sealed emails in Microsoft Outlook and Lotus Notes.
Oracle IRM Desktop caches user rights in an offline database. In earlier releases, this database was shared by all users of a machine. In this release, there is one offline database per Windows user.
You are strongly advised to use only one Oracle IRM account with each Windows account.
If you authenticate to the server (Oracle IRM Server) with a username and password, you can change the account you use as follows:
On the Update Rights tab of the Oracle IRM Desktop Options dialog, check in rights for all servers by clicking Check in.
On the Servers tab of the Oracle IRM Desktop Options dialog, select the server to be updated and click Clear Password.
Quit from any Oracle IRM-enabled applications, such as Adobe Reader and Microsoft Office.
If you think that Oracle IRM-enabled applications may still be running, restart Microsoft Windows.
On the Update Rights tab of the Oracle IRM Desktop Options dialog, synchronize rights for all servers by clicking Synchronize.
Users who are automatically authenticated to the server using Windows authentication cannot change their Oracle IRM account.
Access to the offline database is protected by your Windows credentials. You are no longer required to additionally authenticate to Oracle IRM when working offline.
To use Oracle RAC with an Oracle IRM instance, the Oracle IRM data source needs to be altered using the WebLogic Administration Console and the following procedure:
From Services, select JDBC, then select DataSources.
Select the OracleIRM data source.
On the Transaction tab, check Supports Global Transactions, then check Emulate Two-Phase Commit.
Click Save.
This will set the global-transactions-protocol
for Oracle IRM data-sources for Oracle RAC to EmulateTwoPhaseCommit
.
Use the following procedure to enable the Oracle IRM installation help page to open in a non-English server locale:
Unzip the shiphome.
Extract all the non-HTM files (7 files in total) from help\en
in the ecminstallhelp.jar
file located in Disk1\stage\ext\jlib\
Put these 7 files into the folder jar for the locale in which you will install ECM.
Overwrite ecminstallhelp.jar
with the modified version.
There are no known issues at this time.