19 Oracle Adaptive Access Manager

19.1.1 A Few Conditions in the Base Snapshot Are Not Translated

The following four conditions have not been translated for this release and display in English in non-English browsers:

• Check to see if the ASN for the current IP address is (or is not) in the ASN group

• Compare Transaction Counts across two different durations

• Checks if user's OTP failure counter value over a specified value

• IP is valid, unknown or private

19.1.2 Alert Trigger Sources Are Not Being Displayed in Session Details Page

In the Sessions Details page for sessions which contain alerts, the Trigger Source column is empty.

By default, the Session Details page does not display the trigger sources if the execution time for alerts is less than 2000 millisecond (2000 ms) since detailed logging is dependent on the execution time.

The property that controls this threshold and logging is

# Int property determining minimum time required for detailed logging
vcrypt.tracker.rulelog.detailed.minMillis=2000

After changing the property, print vcrypt.tracker.rulelog.detailed.minMillis=<value>.

Note: Changing the property influences only new sessions.

19.2.1 Job Queue Does Not Display Next Recurrence For Canceled Jobs

If the job is canceled, its next recurrence does not appear in the Job Queue.

19.2.2 Pause and Cancel Job Status Is Not Displayed in the Job Instance Tab

Pause and Cancel Job statuses do not display in the Job Instance tab when a job is canceled or paused. However, the Job Instance tab does show the status (record) at the next scheduled job instance.

19.2.3 Job Queue Process Start and End Time Does Not Follow the Browser Language Setting

In the Job Log tab of the Job Queue page, the Process Start Time and Process End Time columns display in the yyyy-mm-dd format even if the browser is not set to English.

19.2.4 Changing the Schedule Parameters Does Not Affect Next Recurrence

Changing the schedule parameters of a scheduled job does not affect the next recurrence of the job if the start date and time have not been changed. If a non-recurring job is changed to a recurring job, the scheduled recurrence does not occur if there is no change to the start date and time.

19.2.5 When Searching for an Online Job a Warning Might Appear in the Log

When a user clicks the Search button in the online Jobs page, a warnings may appear in the log. There is no loss of functionality.

19.2.6 When the Create Job Dialog is Clicked an Error Might Display

When the user clicks the Create Job dialog, an error may result occasionally. To work around this issue, log out or close the browser and open a new browser to log back in.

19.2.7 Errors Are Seen When Creating a New Job

Errors occur when creating a new job in the OAAM Offline environment. The workaround is to close the browser and start the application again.

19.3.1 Some Attributes of Returned Rules Result Not Set

When using the processRules OAAM Server API, users should be aware that the rule result returned by the API call may have attributes empty or null.

The following attributes returned by processRules API are not set:

• alertIdList

• transactionLogId

• runTimeType

• session Id

19.3.2 Search with Rule Notes Keyword is Not Working Properly

In the rule listing, the search and sort may not work properly on the Notes column. The search result may include rows that do not contain the search keyword.

19.3.3 Database Error Occurs When Deleting an Action or Alert Group in a Policy Override

Groups used in Score Overrides and Action Overrides are deleted without a warning message.

19.3.4 Exclude IP List Parameter Was Added to the User and Device Velocity Rule Conditions

A parameter, Exclude IP List, was added to the following conditions:

• Device: Velocity from last login

• User: Velocity from last login

This parameter allows you to specify a list of IPs to ignore. If a user's IP is from that list, then this condition always evaluates to false. If the user's IP is not in that list or if the list is null or empty, then the condition evaluates the velocity of the user or the device from the last login and evaluates to true if the velocity exceeds the configured value.

19.4.1 NullPointerException Occurs for UpdateTransaction and createTransaction APIs When Transaction is Null

A NullPointerException error on the client side occurs for the updateTransactions and createTransactions APIs when one of the transactions in the array is null. The server only returns success responses and the failed one is ignored.

19.5.1 java.lang.NullPointerException Occurs When GETOTPCODE Returns Error Response

A java.lang.NullPointerException occurs when a user tries to call toString on the returned response that contains an error.

19.6.1 UIO ISA Proxy: Certain Filters Are Note Evaluating the Variable in Value

Filters are used in the proxy to modify HTTP request/response contents or modify the state information saved in the proxy (variables). The following filters are not evaluating variables in the value:

• SetVariable

• AddHeader

• AddResponseCookie

• AddRequestCookie

• ReplaceText

19.6.2 UIO ISA Proxy: the Send-to-Server in Response Interceptor Fails Without Error Message

When the send-to-server action in the response interceptor is used without the display-url, the UIO ISA Proxy redirects the user to an incorrect location and does not display an error.

19.6.3 Warnings are Displayed in Memcached Environment During User Login

In an Apache Memcached environment, warnings are shown in the log during the user login flow. The functionality is not impacted.

19.7.1 NameValueProfile APIs Return Empty Values

The following namevalueprofile APIs return empty values:

• getNameValueProfile

• saveNameValueProfile

• refreshNameValueProfile

19.8.1 OAAM BI Publisher Reports Are Not Working in BI Publisher 11g

OAAM BI Publisher reports are not working on BI Publisher 11g.

19.8.2 Session Details Checkpoint Panel Order Sometimes Randomized

In the Session Details page, sometimes the checkpoint execution display order may not be the same as the execution order.

19.8.3 Alert Message Link in Session Details Page Does Not Open the Alert Details

When the user tries to access an alert details page from an alert message link in the Session Details page, the page fails to open.

To work around this issue, use the alert message link on the Session Search page.

19.9.1 Export Session Is Not Exporting All Records

Export Sessions to Excel exports selected rows only in the current set of visible 25 rows.

19.10.1 Localization Limitations

The following information is supported in English only in this release:

• Alert messages in the standard policies packaged with Oracle Adaptive Access Manager

• Action values in the RulesBreakdown and RecentLogin OAAM BI Publisher reports

• Notes for Action Templates

19.10.2 Policy, Rule, and Action in the OAAM Dashboard Do Not Pick Up110N Value

Policy, rule, and action are not displayed in their translated values in the Dashboard table. The issues are listed below:

• Locations: The Actions table in the Location dashboard does not display the translated value for actions when non-English content is viewed.

• Security: The Rules table in the Security dashboard does not display the Policy name, Rule name and Action in the browser's locale when non-English content is viewed.

• Performance: The Rules table in the Performance dashboard does not display the translated value for policy names when non-English content is viewed.

19.10.3 NLS: Descriptions in Non-ASCII Characters Fails to Save Maximum Length

On a few OAAM Administration pages, for fields with tooltips that say "Enter between 0 and 4000 characters", OAAM accepts input of up to 4000 non-ASCII characters but cannot save the non-ASCII string (for example, Chinese) if it contains more than 4000 bytes.

With UTF-8 encoding, one non-ASCII character uses 1, 2, 3 or 4 byte(s) to store in the database, so 4000 non-ASCII characters require more than 4000 bytes, which is the maximum size of the VARCHAR2 type field.

19.10.4 XMLDOMException Occurs When Saving Searches

An XMLDOMException may occur while saving the search criteria if certain characters, such as fullwidth digits (Unicode U+FF10 through U+FF19) are used. To work around this issue, substitute the characters with more ordinary equivalents (for example, ASCII digits 0 through 9 instead of fullwidth digits).

19.10.5 Date Format May Not Follow the Browser Language Setting in User Details

The Date of Last Online Action field uses the date format yyyy-mm-dd rather than the browser locale's date format. This occurs in the Registration Information panel on the Summary tab of the User Details page.

19.10.6 Sort for NLS String Might Not Work Properly for Out-of-the-Box Objects

With a 11.1.1.5.0 refresh installation and restore of pre-defined data from the oaam_base_snapshot.zip, sorting might not work properly for Group Name, Pattern Name, Entity Name and Description, Action Templates Name, KBA Validation Name and KBA Category Name in a non-English environment.

19.10.7 A Few Objects from the OAAM_BASE_SNAPSHOT.ZIP Appear in English Only

Some rules, groups, and other items are displayed in English when the 11.1.1.5.0 base snapshot is imported into the system.

19.11.1 Specifying Timeout Session Option in WebLogic Does Not Work for OAAM

The WebLogic Console provides an option to specify the session timeout for an application but changing this value does not work for OAAM Admin. The session timeout value should be configurable when OAAM is deployed.

The workaround to configure the session timeout value is to configure the web.xml session timeout in the WebLogic application server using the deployment plan feature. The steps are as follows:

1. Generate deployment plan from the existing non-plan based deployment.

   The URL for a WebLogic deployment plan example is:

   http://www.slideshare.net/jambay/weblogic-deployment-plan-example

2. Edit the plan.xml.

   1. Add a variable definition for the custom session timeout in minutes.

      ... 
         <variable-definition> 
           <variable> 
             <name>mySessionTimeOut</name> 
             <value>60</value> 
           </variable> 
         </variable-definition> 
         ... 
      

   2. Override the desired web application oaam_admin.war's web.xml as follows:

      <module-override> 
           <module-name>oaam_admin.war</module-name> 
           ... 
           <module-descriptor external="false"> 
             <root-element>web-app</root-element> 
             <uri>WEB-INF/web.xml</uri> 
            <variable-assignment> 
               <name>mySessionTimeOut</name> 
               <xpath>/web-app/session-config/session-timeout</xpath> 
             </variable-assignment> 
           </module-descriptor> 
           ... 
      

3. Then, select the application oaam_admin.ear and click the Update button in the deployment list

4. Select the plan path and redeploy the application.

   Ignore any shared library warnings.

5. Make sure your config-root is the application ear directory.

6. Restart all the servers.

19.12.1 Incorrect File Location for sample.bharosa_location.properties

The procedure to load location data into the Oracle Adaptive Access Manager database is not correct in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management. The location of the sample.bharosa_location.properties file is documented as oaam/WEB-INF/classes. The correct location for sample.bharosa_location.properties is <ORACLE_MW_HOME>/<IAM_HOME>/oaam/cli.

The corrected text is provided below:

Load Location Data into the Oracle Adaptive Access Manager database as follows:

1. Configure the IP Location Loader script, as described in the topics "OAAM Command Line Interface Scripts" and "Importing IP Location Data" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

2. Make a copy of the sample.bharosa_location.properties file, which is located under the <ORACLE_MW_HOME>/<IAM_HOME>/oaam/cli directory. Enter location data details in the location.data properties, as in the following examples:

   location.data.provider=quova
   location.data.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.dat.gz
   location.data.ref.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.ref.gz
   location.data.anonymizer.file=/tmp/quova/anonymizers_2008-07-09.dat.gz
   

3. Run the loader on the command line as follows:

   On Windows: loadIPLocationData.bat

   On UNIX: ./loadIPLocationData.sh

   Note:

   If you wish to generate CSF keys or passwords manually, see the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

19.12.2 A Separate Step to Import KBA Questions Is Redundant in OAAM Setup

In the Oracle Fusion Middleware Installation Guide for Oracle Identity Management, a separate step is given to import KBA questions after importing the snapshot. Importing KBA questions is duplication and redundant since importing the snapshot imports KBA questions by default.

19.12.3 Rules Logging Property Setting for OAAM Offline Is Not Correct

The property for setting up rules logging in OAAM Offline is incorrect in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. With property vcrypt.tracker.rules.trace.policySet.min.ms = 100, rules logs are not processed. The value to vcrypt.tracker.rules.trace.policySet.min.ms must be changed to -1.

Rule logging for detailed information can be turned on by setting:

vcrypt.tracker.rules.trace.policySet=true
vcrypt.tracker.rules.trace.policySet.min.ms=-1