Skip Headers
Oracle® Fusion Middleware Release Notes
11g Release 1 (11.1.1) for IBM AIX on POWER System (64-Bit)

Part Number E14771-34
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

24 Oracle Identity Manager

This chapter describes issues associated with Oracle Identity Manager. It includes the following topics:

24.1 Patch Requirements

This section describes patch requirements for Oracle Identity Manager 11g Release 1 (11.1.1). It includes the following sections:

24.1.1 Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)

To obtain a patch from My Oracle Support (formerly OracleMetaLink), go to following URL, click Patches and Updates, and search for the patch number:

https://support.oracle.com/

24.1.2 Patch Requirements for Oracle Database 11g (11.1.0.7)

Table 24-1 lists patches required for Oracle Identity Manager 11g Release 1 (11.1.1) configurations that use Oracle Database 11g (11.1.0.7). Before you configure Oracle Identity Manager 11g, be sure to apply the patches to your Oracle Database 11g (11.1.0.7) database.

Table 24-1 Required Patches for Oracle Database 11g (11.1.0.7)

Platform Patch Number and Description on My Oracle Support

UNIX / Linux

7614692: BULK FEATURE WITH 'SAVE EXCEPTIONS' DOES NOT WORK IN ORACLE 11G

 

7000281: DIFFERENCE IN FORALL STATEMENT BEHAVIOR IN 11G

 

8327137: WRONG RESULTS WITH INLINE VIEW AND AGGREGATION FUNCTION

 

8617824: MERGE LABEL REQUEST ON TOP OF 11.1.0.7 FOR BUGS 7628358 7598314

Windows 32 bit

8689191: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS 32 BIT

Windows 64 bit

8689199: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS (64-BIT AMD64 AND INTEL EM64T)


Note:

The patches listed for UNIX/Linux in Table 24-1 are also available by the same names for Solaris SPARC 64 bit.

24.1.3 Patch Requirements for Oracle Database 11g (11.2.0.2.0)

If you are using Oracle Database 11g (11.2.0.2.0), make sure that you download and install the appropriate version (based on the platform) for the RDBMS Patch Number 9776940. This is a prerequisite for installing the Oracle Identity Manager schemas.

Table 24-2 lists the patches required for Oracle Identity Manager 11g Release 1 (11.1.1) configurations that use Oracle Database 11g Release 2 (11.2.0.2.0). Make sure that you download and install the following patches before creating Oracle Identity Manager schemas.

Table 24-2 Required Patches for Oracle Database 11g (11.2.0.2.0)

Platform Patch Number and Description on My Oracle Support

Linux x86 (32-bit)

Linux x86 (64-bit)

Oracle Solaris on SPARC (64-bit)

Oracle Solaris on x86-64 (64-bit)

RDBMS Interim Patch#9776940.

Microsoft Windows x86 (32-bit)

Bundle Patch 2 [Patch#11669994] or later. The latest Bundle Patch is 4 [Patch# 11896290].

Microsoft Windows x86 (64-bit)

Bundle Patch 2 [Patch# 11669995] or later. The latest Bundle Patch is 4 [Patch# 11896292].


If this patch is not applied, then problems might occur in user and role search and manager lookup. In addition, search results might return empty result.

Note:

  • Apply this patch in ONLINE mode. Refer to the readme.txt file bundled with the patch for the steps to be followed.

  • In some environments, the RDBMS Interim Patch has been unable to resolve the issue, but the published workaround works. Refer to the metalink note "Wrong Results on 11.2.0.2 with Function-Based Index and OR Expansion due to fix for Bug:8352378 [Metalink Note ID 1264550.1]" for the workaround. This note can be followed to set the parameters accordingly with the only exception that they need to be altered at the Database Instance level by using ALTER SYSTEM SET <param>=<value> scope=<memory> or <both>.

24.1.4 Patch Requirements for Segregation of Duties (SoD)

Table 24-3 lists patches that resolve known issues with Segregation of Duties (SoD) functionality:

Table 24-3 SoD Patches

Patch Number / ID Description and Purpose

Patch number 9819201 on My Oracle Support

Apply this patch on the SOA Server to resolve the known issue described in "SoD Check During Request Provisioning Fails While Using SAML Token Client Policy When Default SoD Composite is Used".

The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK."

Patch ID 3M68 using the Oracle Smart Update utility. Requires passcode: 6LUNDUC7.

Using the Oracle Smart Update utility, apply this patch on the Oracle WebLogic Server to resolve the known issue described in "SoD Check Fails While Using Client-Side Policy in Callback Invocation During Request Provisioning".


Note:

The SoD patches are required to resolve the known issues in Oracle Identity Manager 11g Release 1 (11.1.1.3), but these patches are not required in 11g Release 1 (11.1.1.5).

24.1.5 Patch Upgrade Requirement

While applying the patch provided by Oracle Identity Manager, the following error is generated:

ApplySession failed: ApplySession failed to prepare the system.

OPatch version 11.1.0.8.1 must be upgraded to version 11.1.0.8.2 to meet the version requirement.

See "Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)" for information about downloading OPatch from My Oracle Support.

24.2 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

24.2.1 Do Not Use Platform Archival Utility

Currently, the Platform Archival Utility is not supported and should not be used.

To work around this issue, use the predefined scheduled task named Orchestration Process Cleanup Task to delete all completed orchestration processes and related data.

24.2.2 SPML-DSML Service is Unsupported

Oracle Identity Manager's SPML-DSML Service is currently unsupported in 11g Release 1 (11.1.1). However, you can manually deploy the spml-dsml.ear archive file for Microsoft Active Directory password synchronization.

24.2.3 Resource Object Names Longer than 100 Characters Cause Import Failure

If a resource object name is more than 100 characters, an error occurs in the database and the resource object is not imported. To work around this issue, change the resource object's name in the XML file so the name is less than 100 characters.

24.2.4 Status of Users Created Through the Create and Modify User APIs

You cannot create users in Disabled State. Users are always created in Active State.

The Create and Modify User APIs do not honor the Users.Disable User attribute value. If you pass a value to the Users.Disable User attribute when calling the Create API, Oracle Identity Manager ignores this value and the USR table is always populated with a value of 0, which indicates the user's state is Active.

Use the Disable API to disable a user.

24.2.5 Status of Locked Users in Oracle Access Manager Integrations

When Oracle Access Manager locks a user account in an Oracle Identity Manager-Oracle Access Manager integration, it may take approximately five minutes, or the amount of time defined by the incremental reconciliation scheduled interval, for the status of the locked account to be reconciled and appear in Oracle Identity Manager. However, if a user account is locked or unlocked in Oracle Identity Manager, the status appears immediately.

24.2.6 Generating an Audit Snapshot after Bulk-Loading Users or Accounts

The GenerateSnapshot.[sh|bat] option does not work correctly when invoked from the Bulk Load utility. To work around this issue and generate a snapshot of the initial audit after bulk loading users or accounts, you must run GenerateSnapshot.[sh|bat] from the $OIM_HOME/bin/ directory.

24.2.7 Browser Timezone Not Displayed

Due to an ADF limitation, the browser timezone is currently not accessible to Oracle Identity Manager. Oracle Identity Manager bases the timezone information in all date values on the server's timezone. Consequently, end users will see timezone information in the date values, but the timezone value will display the server's timezone.

24.2.8 Date Format Change in the SoD Timestamp Field Not Supported

The date-time value that end users see in the Segregation of Duties (SoD) Check Timestamp field on the SoD Check page will always display as "YYYY-MM-DD hh:mm:ss" and this format cannot be localized.

To work around this localization issue, perform the following steps:

  1. Open the "Oracle_eBusiness_User_Management_9.1.0.1.0/xml/Oracle-eBusinessSuite-TCA-Main-ConnectorConfig.xml" file.

  2. In the EBS Connector import xml, locate the SoDCheckTimeStamp field for the Process Form. Change <SDC_FIELD_TYPE> to 'DateFieldDlg' and change <SDC_VARIANT_TYPE> to 'Date' as shown in the following example:

    <FormField name = "UD_EBST_USR_SODCHECKTIMESTAMP">
                 <SDC_UPDATE>!Do not change this field!</SDC_UPDATE>
                 <SDC_LABEL>SoDCheckTimestamp</SDC_LABEL>
                 <SDC_VERSION>1</SDC_VERSION>
                 <SDC_ORDER>23</SDC_ORDER>
                 <SDC_FIELD_TYPE>DateFieldDlg</SDC_FIELD_TYPE>
                 <SDC_DEFAULT>0</SDC_DEFAULT>
                 <SDC_ENCRYPTED>0</SDC_ENCRYPTED>
                 <!--SDC_SQL_LENGTH>50</SDC_SQL_LENGTH-->
                 <SDC_VARIANT_TYPE>Date</SDC_VARIANT_TYPE>
             </FormField>
    
  3. Import the Connector.

  4. Enable SoD Check.

  5. Provision the EBS Resource with entitlements to trigger an SoD Check.

  6. Check the SoDCheckTimeStamp field in Process Form to confirm it is localized like the other date fields in the form.

24.2.9 Bulk Loading CSV Files with UTF-8 BOM Encoding Not Supported

Bulk loading a CSV file for which UTF-8 BOM (byte order mark) encoding is specified causes an error. However, bulk-loading UTF-8 encoded CSV files works as expected if you specify "no BOM" encoding.

To work around this issue,

  • If you want to load non-ASCII data, you must change your CSV file encoding to "UTF-8 no BOM" before loading the CSV file.

  • If your data is stored in CSV files with "UTF-8 BOM" encoding, you must change them to "UTF-8 no BOM" encoding before running the bulkload script.

24.2.10 Date Type Attributes are Not Supported for the Default Scheduler Job, "Job History Archival"

The default Scheduler job, "Job History Archival," does not support date type attributes.

The "Archival Date" attribute parameter in "Job History Archival" only accepts string patterns such as "ddMMyyyy" and "MMM DD, yyyy."

When you run a Scheduler job, the code checks the date format. If you enter the wrong format, an error similar to the following example, displays in the execution status list and in the log console:

<IAM-1020063> <Incorrect format of Archival Date parameter. Archival Date is expected in DDMMYYYY or UI Date format.>

The job cannot run successfully until you input the correct Archival Date information.

24.2.11 Low File Limits Prevent Adapters from Compiling

On machines where the file limits are set too low, trying to create and compile an entity adapter causes a "Too many open files" error and the adapter will not compile.

To work around this issue, change the file limits on your machine to the following (located in /etc/security/limits.conf) and then restart the machine:

  • soft nofile 4096

  • hard nofile 4096

24.2.12 Reconciliation Engine Requires Matching Rules

Currently, Oracle Identity Manager's Reconciliation Engine in 11g Release 1 (11.1.1) requires you to define a matching rule to identify the users for every connector in reconciliation. Errors will occur during reconciliation if you do not define a matching rule to identify users.

24.2.13 SPML Requests Do Not Report When Any Date is Specified in Wrong Format

When any date, such as activeStartDate, hireDate, and so on, is specified in an incorrect format, the Web server does not pass those values to the SPML layer. Only valid dates are parsed and made available to SPML. Consequently, when any SPML request that contains an invalid date format, the invalid date format from the request is ignored and is not available for that operation. For example, if you specify the HireDate month as "8" instead of "08," the HireDate will not be populated after the Create request is completed and no error message is displayed.

The supported date format is:

yyyy-MM-dd hh:mm:ss.fffffffff

No other date format is supported.

24.2.14 Logs Populated with SoD Exceptions When the SoD Message Fails and Gets Stuck in the Queue

SoD functionality uses JMS-based processing. Oracle Identity Manager submits a message to the oimSODQueue for each SoD request. If for some reason an SoD message always results in an error, Oracle Identity Manager never processes the next message in the oimSODQueue. Oracle Identity Manager always picks the same error message for processing until you delete that message from the oimSODQueue.

To work around this issue, use the following steps to edit the queue properties and to delete the SoD message in oimSODQueue:

  1. Log on to the WebLogic Admin Console at http://<hostname>:<port>/console

  2. From the Console, select Services, Messaging, JMS Modules.

  3. Click OIMJMSModule. All queues will be displayed.

  4. Click oimSODQueue.

  5. Select the Configurations, Delivery Failure tabs.

  6. Change the retry count so that the message can only be submitted a specified number of times.

  7. Change the default Redelivery Limit value from -1 (which means infinite) to a specific value. For example, if you specify 1, the message will be submitted only once.

  8. To review and delete the SoD error message, go to the Monitoring tab, select the message, and delete it.

24.2.15 A Backslash (\) Cannot Be Used in a weblogic.properties File

If you are using the WeblogicImportMetadata.cmd utility to import data to MDS, then do not use a backslash (\) character in a path in the weblogic.properties file, or an exception will occur.

To work around this issue, you must use a double backslash (\\) or a forward slash (/) on Microsoft Windows. For example, change metadata_from_loc=C:\metadata\file to metadata_from_loc=C:\\metadata\\file in the weblogic.properties file.

24.2.16 Underscore Character Cannot Be Used When Searching for Resources

When you are searching for a resource object, do not use an underscore character (_) in the resource name. The search feature ignores the underscore and consequently does not return the expected results.

24.2.17 Assign to Administrator Action Rule is Not Supported by Reconciliation

Reconciliation does not support the Assign to Administrator Action rule.

To work around this issue, change the Assign to Administrator to None in the connector XML before importing the connector. However, after changing the value to None, you cannot revert to Assign to Administrator.

24.2.18 Some Buttons on Attestation Screens Do Not Work in Mozilla Firefox

If you are creating attestations in a Mozilla Firefox Web browser and you click certain buttons, nothing happens.

To work around this issue, click the Refresh button to refresh the page.

24.2.19 The maxloginattempts System Property Causes Autologin to Fail When User Tries to Unlock

WLS Security Realm has a default lock-out policy that locks out users for some time after several unsuccessful login attempts. This policy can interfere with the locking and unlocking functionality of Oracle Identity Manager.

To prevent the WLS Security Realm lock-out policy from affecting the lock/unlock functionality of Oracle Identity Manager, you must set the 'Lockout Threshold' value in the WLS 'User Lockout Policy' to at least 5 more than the value in Oracle Identity Manager. For example, if the value in Oracle Identity Manager is set to 10, you must set the WLS 'Lockout Threshold' value to 15.

To change the default values for the 'User lockout Policy,' perform the following steps:

  1. Open the WebLogic Server Administrative Console.

  2. Select Security Realms, REALM_NAME.

  3. Select the User Lockout tab.

  4. If configuration editing is not enabled, then click the Lock and Edit button to enable configuration editing.

  5. Change the value of lockout threshold to the required value.

  6. Click Save to save the changes.

  7. Click Activate to activate your changes.

  8. Restart all the servers in the domain.

24.2.20 "<User not found>" Error Message Appears in AdminServer Console While Setting-Up an Oracle Identity Manager-Oracle Access Manager Integration

When you set up Oracle Identity Manager-Oracle Access Manager Integration with a JAVA agent and log into the Admin Server Console, a "<User not found>" error message is displayed. This message displays even when the login is successful.

24.2.21 Do Not Use Single Quote Character in Reconciliation Matching Rule

If the single quote character (') is used in reconciliation data (for example, 'B'1USER1'), then target reconciliation will fail with an exception.

24.2.22 Do Not Use Special Characters When Reconciling Roles from LDAP

Due to a limitation in the Oracle SOA Infrastructure, do not use special characters such as commas (,) in role names, group names, or container descriptions when reconciling roles from LDAP. Oracle Identity Manager's internal code uses special characters as delimiters. For example, Oracle Identity Manager uses commas (,) as approver delimiters and the SOA HWF-level global configuration uses commas as assignee delimiters.

24.2.23 SoD Check During Request Provisioning Fails While Using SAML Token Client Policy When Default SoD Composite is Used

SoD check fails and the following error is displayed on the SOA console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:

SEVERE: FabricProviderServlet.handleException Error during retrieval of test page or composite resourcejavax.servlet.ServletException: java.lang.NullPointerException

This happens when Callback is made from Oracle Identity Manager to SOA with the SoDCheck Results.

To resolve this issue, apply patch 9819201 on the SOA server. You can obtain patch 9819201 from My Oracle Support. The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK."

For more information, refer to:

24.2.24 SoD Check Fails While Using Client-Side Policy in Callback Invocation During Request Provisioning

SoD check fails and following error is displayed on the Oracle Identity Manager Administrative and User Console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:

<Error> <oracle.wsm.resources.policymanager><WSM-02264> <"/base_domain/oim_server1/oim/unknown/iam-ejb.jar/WEBSERVICECLIENTs/SoDCheckResultService/PORTs/ResultPort" is not a recognized resource pattern.>
<Error> <oracle.iam.sod.impl> <IAM-4040002><Error getting Request Service : java.lang.IllegalArgumentException: WSM-02264 "/base_domain/oim_server1/oim/unknown/iam-ejb.jar/WEBSERVICECLIENTs/SoDCheckResultService/PORTs/ResultPort" is not a recognized resource pattern.>

To resolve this issue, use the Oracle Smart Update utility to apply patch ID 3M68, which requires passcode of 6LUNDUC7, on Oracle WebLogic Server. For more information, refer to:

24.2.25 Error While Starting Remote Manager on AIX

On starting remote manager from Oracle_IDM1/remote_manager by running the remotemanager.sh script on AIX, it shows the following error:

Class/Method: RMISSLServerSocketFactory/createServerSocket Remote Manager server socket port is 12346
Exception in thread "main" java.lang.NoClassDefFoundError: com.sun.net.ssl.SSLContext

To work around this issue, perform the following steps after installing the remote manager:

  1. Open Oracle_IDM1/remote_manager/config/xlconfig.xml.

  2. Change the value for KeyManagerFactory from SUNX509 to IBMX509.

On creating an IT Resource with Type chosen as Remote Manager by selecting the Create an IT Resource option in OIM application, the following error is seen:

<XELLERATE.WEBAPP> <BEA-000000> <Class/Method: tcAction/execute encounter some problems:
javax.servlet.ServletException: java.lang.NoClassDefFoundError: com/sun/net/ssl/SSLContext>

To work around this issue, perform the following steps:

  1. Login to Enterprise Manager:

    http://adminhostname:adminport/em
    
  2. Right-click on Domains, select Base domain, select cluster, and then select oim_server1.

  3. Select system Mbean browser, select oracle.iam, select Server: oim_server1, select Application: oim, select XMLConfig, select Config, select XMLConfig.RemoteManager, and then select RemoteManager.

  4. Change the value for KeyManagerFactory from SUNX509 to IBMX509.

  5. Click Apply.

  6. Restart the oim_server.

24.2.26 Error May Appear During Provisioning when Generic Technology Connector Framework Uses SPML

When using the generic technology connector framework uses SPML, during provisioning, the following error may appear:

<SPMLProvisioningFormatProvider.formatData :problem with Velocity Template Unable
to find resource 'com/thortech/xl/gc/impl/prov/SpmlRequest.vm'>

If the error occurs, it blocks provisioning by using the predefined SPML GTC provisioning format provider. Restarting the Oracle Identity Manager server prevents the error from appearing again.

24.2.27 Cannot Click Buttons in TransUI When Using Mozilla Firefox

When using the Mozilla Firefox browser, in certain situations, some buttons in the legacy user interface, also known as TransUI, cannot be clicked. This issue occurs intermittently and can be resolved by using Firefox's reload (refresh) function.

24.2.28 LDAP Handler May Cause Invalid Exception While Creating, Deleting, or Modifying a Role

If an LDAP handler causes an exception when you create, modify, or delete a role, an invalid error message, such as System Error or Role does not exist, may appear.

To work around this issue, look in the log files, which will display the correct error message.

24.2.29 Cannot Reset User Password Comprised of Non-ASCII Characters

If a user's password is comprised of non-ASCII characters, and that user tries to reset the password from either the My Profile or initial login screens in the Oracle Identity Manager Self Service interface, the reset will fail with the following error message:

Failed to change password during the validation of the old password

Note:

This error does not occur with user passwords comprised of only ASCII characters.

To work around this issue, perform the following steps:

  1. Set the JVM file encoding to UTF8, for example: -Dfile.encoding=UTF-8

    Note:

    On Windows systems, this may cause the console output to appear distorted, though output in the log files appear correctly.
  2. Restart the Oracle WebLogic Server.

24.2.30 Benign Exception and Error Message May Appear While Patching Authorization Policies

When patches are applied to the Authorization Polices that are included with Oracle Identity manager and the JavaSE environment registers the Oracle JDBC driver, java.security.AccessControlException is reported and the following error message appears:

Error while registering Oracle JDBC Diagnosability MBean

You can ignore this benign exception, as the Authorization Policies are seeded successfully, despite the exception and error messages.

24.2.31 The DateTime Pick in the Trans UI Does Not Work Correctly in the Thai Locale

When locale is set to th_TH in Microsoft Windows Internet Explorer Web browser, the datetime in Oracle Identity Manager follows the Thai Buddhist calendar. In the Create Attestation page of the Administrative and User Console, when you select a date for start time, the year is displayed according to the Thai Buddhist calendar, for example, 2553. After you click OK, the equivalent year according to the Gregorian calendar, which is 2010, is displayed in the start time field. But when you click Next to continue creating the attestation, an error message is displayed stating that the start time of the process must not belong to the past.

To workaround this issue, perform any one of the following:

  • Specify the datetime manually.

  • Use Mozilla Firefox Web browser, which uses the Gregorian calendar.

24.2.32 User Without Access Policy Administrators Role Cannot View Data in Access Policy Reports

OIM user without the ACCESS POLICY ADMINISTRATORS role cannot view data in the following reports:

  • Access Policy Details

  • Access Policy List by Role

To workaround this issue:

  1. Assign the ACCESS POLICY ADMINISTRATORS role to an OIM user.

  2. Create a BI Publisher user with the same username in Step 1. Assign appropriated BI Publisher role to view reports.

  3. Login as the BI Publisher user mentioned in step 2. View the Access Policy Details and Access Policy List by Role reports. All access policies are displayed.

24.2.33 Archival Utility Throws an Error for Empty Date

In case of empty date, archival utility throws an error message, but proceeds to archive data by mapping to the current date. Currently, no workaround exists for this issue.

24.2.34 TransUI Closes with Direct Provisioning of a Resource

TransUI closes while doing a direct provisioning if user defined field (UDF) is created with the default values. To work around this issue, you need to create a Lookup Code for the INTEGER/DOUBLE type UDF in the LKU/LKV table.

24.2.35 Scheduler Throws "ParameterValueTypeNotSupportedException" Instead of "RequiredParameterNotSetException"

On AIX platform, when a required parameter is missing during the creation of a scheduler job, instead of throwing "RequiredParameterNotSetException" with the error message "The value is not set for required parameters of a scheduled task.", it throws "ParameterValueTypeNotSupportedException" with the error message "Parameter value is not set properly". Currently, no workaround exists for this issue.

24.2.36 All New User Attributes Are Not Supported for Attestation in Oracle Identity Manager 11g

New user attributes are added in Oracle Identity Manager 11g. Not all of them are available for Attestation while defining user-scope. However, Attestation has been enhanced to include the following user attributes:

  • USR_COUNTRY

  • USR_LDAP_ORGANIZATION

  • USR_LDAP_ORGANIZATION_UNIT

  • USR_LDAP_GUID

Currently, no workaround exists for this issue.

24.2.37 LDAP GUID Mapping to Any Field of Trusted Resource Not Supported

Update fails in LDAP, if LDAP GUID is mapped to any field of trusted resource in LDAP-SYNC enabled installation. To work around this issue, Oracle does not recommend mapping for LDAP GUID field while creating reconciliation field mapping for a trusted resource.

24.2.38 User Details for Design Console Access Field Must Be Mapped to Correct Values When Reading Modify Request Results

When a Modify Request is raised, "End-User" and "End-User Administrator" values are displayed for the "Design Console Access" field. These values must be mapped to False/True while interpreting the user details.

24.2.39 Cannot Create a User Containing Asterisks if a Similar User Exists

If you try to create a user that contains an asterisk (*) after creating a user with a similar name, the attempt will fail. For example, if you create user test1test, followed by test*test, test*test will not be created.

It is recommended to not create users with asterisks in the User Login field.

24.2.40 Blank Status Column Displayed for Past Proxies

The Status field on the Post Proxies page is blank. However, active proxies are displayed correctly on Current Proxies page.

Currently, no workaround exists for this issue.

24.2.41 Mapping the Password Field in a Reconciliation Profile Prevents Users from Being Created

The Password field is available to be mapped with a reconciliation profile, but it should not be used. Attempting to map this field will generate a reconciliation event that will not create users. (The event ends in "No Match Found State".) In addition, you will not be able to re-evaluate or manually link this event.

24.2.42 UID Displayed as User Login in User Search Results

Although you can select the UID attribute from the Search Results Table Configuration list on the Search Configuration page of the Advanced Administration, the search results table for advanced search for users displays the User Login field instead of the UID field.

24.2.43 Roles/Organizations Browse Trees Disappear

After you delete an organization, the Browse trees for organizations and roles might not be displayed.

To work around this issue, click the Search Results tab, then click the Browse tab. The roles and organizations browse trees display correctly.

24.2.44 Entitlement Selection Is Not Optional for Data Gathering

Entitlement (Child Table) selection during data gathering on the process form, for the "Depends On (Depended)" attribute is not optional. During data gathering, if dependent lookups are configured, then the user has to select the parent lookup value so that filtering happens on the child lookup and thus user gets a final list of entitlements to select . Currently, no workaround exists to directly filter the values based on the child lookup.

24.2.45 Oracle Identity Manager Server Throws Generic Exception While Deploying a Connector

Generic exceptions are shown in server logs every time deployment manager import happens or profile changes manually or profile changes via design console. This is because "WLSINTERNAL" is not an authorized user of Oracle Identity Manager. "WLSINTERNAL" is an internal user of WebLogic Server, and MDS uses it to invoke MDS listeners if there is a change in XMLs stored in MDS. Currently, no workaround exists for this issue.

24.2.46 Create User API Allows Any Value for the "Users.Password Never Expires", "Users.Password Cannot Change", and "Users.Password Must Change" Fields

Create User API allows the user to set any value between 0 and 9 instead of 0 or 1 for "Users.Password Never Expires", "Users.Password Cannot Change" and "Users.Password Must Change" fields. However, any value other than 0 is considered as TRUE and 0 is considered as FALSE, and the flag is set accordingly for the user being created. Currently, no workaround exists for this issue.

24.2.47 Incorrect Label in JGraph Screen for the GTC

The User Type label on the JGraph screen is displayed incorrectly as Design Console Access. To display User Type, add the line Xellerate_Type=User Type to the OIM_HOME/server/customResources/customResources.properties file.

24.2.48 Running the Workflow Registration Utility Generates an Error

When the workflow registration utility is run in a clustered deployment of Oracle Identity Manager, the following error is generated:

[java] oracle.iam.platform.utils.NoSuchServiceException:
java.lang.reflect.InvocationTargetException

Ignore the error message.

24.2.49 Native Performance Pack is Not Enabled On Solaris 64-bit JVM Install

For Oracle Identity Manager JVM install on a Solaris 64-bit computer, Oracle WebLogic log displays the following error:

Unable to load performance pack. Using Java I/O instead. Please ensure that a native performance library is in:

To workaround this issue, perform the following to ensure that JDK picks up the 64-bit native performance:

  1. In a text editor, open the MIDDLEWARE_HOME/wlserver_10.3/common/bin/commEnv.sh file.

  2. Replace the following:

    SUN_ARCH_DATA_MODEL="32"
    

    With:

    SUN_ARCH_DATA_MODEL="64"
    
  3. Save and close the commEnv.sh file.

  4. Restart the application server.

24.2.50 Error in the Create Generic Technology Connector Wizard

If you enter incorrect credentials for the database on the Create Generic Technology Connector wizard, a system error window is displayed. You must close this window and run the wizard again.

24.2.51 DSML Profile for the SPML Web Service is Not Deployed With Oracle Identity Manager

The DSML profile for the SPML Web service is not deployed by default with Oracle Identity Manager 11g Release 1 (11.1.1). SPML-DSML binaries are bundled with the Oracle Identity Manager installer to support Microsoft Active Directory Password Synchronization. You must deploy the spml-dsml.ear file manually.

24.2.52 New Human Tasks Must Be Copied in SOA Composites

When you add a new human task to an existing SOA composite, you must ensure that all the copy operations for the attributes in the original human task are added to the new human task. Otherwise, an error could be displayed on the View Task Details page.

24.2.53 Modify Provisioned Resource Request Does Not Support Service Account Flag

A regular account cannot be changed to a service account, and similarly, a service account cannot be changed to a regular account through a Modify Provisioned Resource request.

24.2.54 Erroneous "Query by Example" Icon in Identity Administration Console

In the Identity Administration console, when viewing role details from the Members tab, an erroneous icon with the "tooltip" (mouse-over text) of "Query By Example" appears. This "Query By Example" icon is non-functional and should be ignored.

24.2.55 The XL.ForcePasswordChangeAtFirstLogin System Property Is No Longer Used

The XL.ForcePasswordChangeAtFirstLogin system property is no longer used in Oracle Identity Manager 11g Release 1 (11.1.1.1). Therefore, forcing the user to change the password at first login cannot be configured. By default, the user must change the password:

  • When the new user, other than self-registered users, is logging in to Oracle Identity Manager for the first time

  • When the user is logging in to Oracle Identity Manager for the first time after the password has been reset

24.2.56 The tcExportOperationsIntf.findObjects(type,name) API Does Not Accept the Asterisk (*) Wilcard Character in Both Parameters

The tcExportOperationsIntf.findObjects(type,name) API accepts the asterisk (*) wildcard character only for the second parameter, which is name. For type, a category must be specified. For example, findObjects("Resource","*") is a valid call, but findObjects("*","*") is not valid.

24.2.57 Disabled Links on the Access Policy Summary Page Opened in Mozilla FireFox

In the Verify Information for this Access Policy page of the Create/Modify Access Policy wizards opened in Mozilla Firefox Web browser, you click Change for resource to be provisioned by the access policy, and then click Edit to edit the process form data for the resources to be provisioned. If you click the Close button on the Edit form, then the change links for any one of the access policy information sections, such as resources to be provisioned by the access policy, resources to be denied by the access policy, or roles for the access policy, do not work.

To workaround this issue, click Refresh. All the links in the Verify Information for this Access Policy page are enabled.

24.2.58 Benign Error is Generated on Editing the IT Resource Form in Advanced Administration

When you click the Edit link on the IT Resource form in the Advanced Administration, the following error message is logged:

<Error> <XELLERATE.APIS> <BEA-000000>
<Class/Method: tcFormDefinitionOperationsBean/getFormFieldPropertyValue encounter some problems: Property 'Column Names' has not defined for the form field '-82'> 

The error message is benign and can be ignored because there is no loss of functionality.

24.2.59 User Account is Not Locked in iPlanet Directory Server After it is Locked in Oracle Identity Manager

After reaching the maximum login attempts, a user is locked in Oracle Identity Manager. But in iPlanet DS/ODSEE, the user is not locked. The orclAccountLocked feature is not supported because the backend iPlanet DS/ODSEE does not support account unlock by setting the Operational attribute. Account is unlocked only with a password reset. The nsaccountlock attribute is available for administrative lockout. The password policies do not use this attribute, but you can use this attribute to independently lock an account. If the password policy locks the account, then nsaccountlock locks the user even after the password policy lockout is gone.

24.2.60 Oracle Identity Manager Does Not Support Autologin With JavaAgent

In an Oracle Access Manager (OAM) integrated deployment of Oracle Identity Manager with JavaAgent, when a user created in Oracle Identity Manager tries to login to the Oracle Identity Manager Administrative and User Console for the first time, the user is forced to reset password and set challenge questions. After this, the user is not logged in to Oracle Identity Manager automatically, but is redirected to the OAM login page. This is because Oracle Identity Manager does not support autologin when JavaAgent is used.

24.2.61 Benign Error Logged on Opening Access Policies, Resources, or Attestation Processes

As a delegated administrator, when you open the page to display the details of an access policy, resource, or attestation process, the following error is logged:

Error> <org.apache.struts.tiles.taglib.InsertTag> <BEA-000000>
<Can't insert page '/gc/EmptyTiles.jsp' : Write failed: Broken pipe  java.net.SocketException: Write failed: Broken pipe

The error is benign and can be ignored because there is no loss of functionality.

24.2.62 User Locked in Oracle Identity Manager But Not in LDAP

In a LDAP-enabled deployment of Oracle Identity Manager in which the directory servers are Microsoft Active Directory (AD) or Oracle Internet Directory (OID), when a user is manually locked in Oracle Identity Manager by the administrator, the user is not locked in LDAP if a password policy is not configured in LDAP. The configurable password policy in LDAP can either be the default password policy that is applicable to all the LDAP users, or it can be a user-specific Password Setting Object (PSO).

24.2.63 Reconciliation Profile Must Not Be Regenerated Via Design Console for Xellerate Organization Resource Object

By default, the Xellerate Organization resource object does not have reconciliation to Oracle Identity Manager field mappings and any matching/action rule information. As a result, when reconciliation profile for Xellerate Organization resource object is updated via Design Console, it corrupts the existing reconciliation configuration for that resource object, and reconciliation fails with empty status.

To workaround this issue, do not generate the reconciliation profile/configuration via the Design Console. Instead, export the Xellerate Organization profile from Meta Data Store (MDS) and edit it manually, and import it back into Oracle Identity Manager. If the profile changes include modification of the reconciliation fields, then the corresponding changes must be made in the horizontal table schema and its entity definition as well.

24.2.64 Benign Error Logged on Clicking Administration After Upgrade

After upgrading Oracle Identity Manager from Release 9.1.0.1 to 11g Release 1 (11.1.1), on clicking the Administration link on the Administrative and User Console, the following error is logged:

<Error> <oracle.adfinternal.view.page.editor.utils.ReflectionUtility>
<WCS-16178> <Error instantiating class - oracle.adfdtinternal.view.faces.portlet.PortletDefinitionDTFactory>

This error is benign and can be ignored because there is no loss of functionality.

24.2.65 Provisioning Fails Through Access Policy for Provisioned User

When a user is already provisioned and you try to assign a role to the user that triggers provisioning to the target domain, the provisioning is not started. However, if the user is not provisioned already and you assign a role to the user, then the provisioning occurs successfully.

To workaround this issue:

  1. Open the connector-specific user form in the Design Console.

  2. Create a new version of the connector, and select Edit.

  3. Click the Properties tab, and then click server (ITResourceLookupField). Click Add Property.

  4. Add Required for the property and specify true. Click Make Version Active, and then click Save.

  5. Login to Oracle Identity Manager Administrative and User Console.

  6. Navigate to System Property. Search for the 'Allows access policy based provisioning of multiple instances of a resource' system property. Change the value of this property to TRUE.

  7. Restart Oracle Identity Manager.

Try provisioning a provisioned user to provision through access policy of the same IT Resource Type, and the provisioning is successful.

24.2.66 Benign Warning Messages Displayed During Oracle Identity Manager Managed Server Startup

Several messages resembling the following are logged during Oracle Identity Manager managed server startup:

<Mar 30, 2011 6:51:01 PM PDT> <Warning> <oracle.iam.platform.kernel.impl>
<IAM-0080071> 
<Preview stage is not supported in kernel and found an event handler with name ProvisionAccountPreviewHandler implemented by the class oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountPreviewHandlerfor this stage. It will be ignored.>

These warning messages are benign and can be ignored because there is no loss of functionality.

24.2.67 Benign Message Displayed When Running the Deployment Manager

When running the Deployment Manager, a message with header ' XUL SYNTAX: ID Conflict' is displayed.

This message is benign and can be ignored because there is no loss of functionality. Close the message and continue.

24.2.68 Deployment Manager Export Fails When Started Using Microsoft Internet Explorer 7 With JRE Plugin 1.6_23

After upgrading Oracle Identity Manager from an earlier release to 11g Release 1 (11.1.1), when you use the Microsoft Internet Explorer 7 Web browser with JRE plugin 1.6_23 to open the Administrative and User Console and try to export files by using the Deployment Manager, an error is generated and you cannot proceed with the export.

To workaround this issue, use a combination of the following Web browsers and plugins:

  • Mozilla Firefox 3.6 and JRE version 1.6_23 on 64-bit computer

  • Microsoft Internet Explorer 7 and JRE version 1.5

  • Microsoft Internet Explorer 8 and JRE version 1.6_18

  • Microsoft Internet Explorer 7 and JRE version 1.6_24

24.2.69 User Creation Fails in Microsoft Active Directory When Value of Country Attribute Exceeds Two Characters

In a LDAP-enabled deployment of Oracle Identity Manager, user creation fails in the Microsoft Active Directory (AD) server if the value of the Country attribute exceeds two characters. AD mandates two characters for the Country attribute, for example US, based on the ISO 3166 standards.

24.2.70 Deployment Manager Import Fails if Scheduled Job Entries Are Present Prior To Scheduled Task Entries in the XML File

In Oracle Identity Manager 11g Release 1 (11.1.1), schedules job has a dependency on scheduled task. Therefore, scheduled task must be imported prior to scheduled job.

As a result, if a XML file has scheduled job entries prior to scheduled task entries, then importing the XML file using Deployment Manager fails with the following error message:

[exec] Caused By: oracle.iam.scheduler.exception.SchedulerException: Invalid ScheduleTask definition
[exec] com.thortech.xl.ddm.exception.DDMException

To workaround this issue, open the XML file and move all scheduled task entries above the scheduled job entries.

24.2.71 Permission on Target User Required to Revoke Resource

When you login to the Administrative and User Console with Identity User Administrators and Resource Administrators roles, direct provision a resource to a user, and attempt to revoke the resource from the user, an error message is displayed.

To workaround this issue, you (logged-in user) must have the write permission on the target user (such as user1). To achieve this:

  1. Create a role, such as role1, and assign self to this role.

  2. Create an organization, such as org1, and assign role1 as administrative group.

  3. Modify the user user1 and change its organization to org1. You can now revoke the resource from user1.

24.2.72 Reconciliation Event Fails for Trusted Source Reconciliation Because of Missing Reconciliation Rule in Upgraded Version of Oracle Identity Manager

When Oracle Identity Manager is upgraded from an earlier release to 11g Release 1 (11.1.1), for trusted source reconciliation, such as trusted source reconciliation using GTC, the reconciliation event fails with the following error message because of a missing reconciliation rule:

<Mar 31, 2011 6:27:41 PM CDT> <Info> <oracle.iam.reconciliation.impl>
<IAM-5010006> <The following exception occurred: {0}
oracle.iam.platform.utils.SuperRuntimeException:
Error occurred in XL_SP_RECONEVALUATEUSER while processing Event No 3
Error occurred in XL_SP_RECONUSERMATCH while processing Event No 3
One or more input parameter passed as null

To workaround this issue:

  1. Create a reconciliation rule for the resource object.

  2. In the Resource Object form of the Design Console, click Create Reconciliation Profile.

24.2.73 XML Validation Error on Oracle Identity Manager Managed Server Startup

The following error message is logged at the time of Oracle Identity Manager Managed Server startup:

<Mar 29, 2011 2:49:31 PM PDT> <Error> <oracle.iam.platform.kernel.impl>
<IAM-0080075> <XML schema validation failed for XML/metadata/iam-features-callbacks/event_configuration/EventHandlers.xml and it will not be loaded by kernel. >

<Mar 29, 2011 2:49:32 PM PDT> <Error> <oracle.iam.platform.kernel.impl>
<IAM-0080075> <XML schema validation failed for XML/metadata/iam-features-OIMMigration/EventHandlers.xml and it will not be loaded by kernel. >

This error message is benign and can be ignored because there is no loss of functionality.

24.2.74 Cannot View or Edit Adapter Mapping in the Data Object Manager Form of the Design Console

When you click Map on the Map Adapters tab in the Data Object Manager form of the Design Console, a dialog box is displayed that allows you to edit the individual entity adapter mappings. But the list with fields on the user object to map is displayed as empty. As a result, you cannot view or edit the individual entity adapter mappings.

Use of entity adapters is deprecated in Oracle Identity Manager 11g Release 1 (11.1.1), although limited support is still provided for backward compatibility only. Event handlers must be used for all new or changed scenarios.

24.2.75 Role Memberships for Assign or Revoke Operations Not Updated on Enabling or Disabling Referential Integrity Plug-in

In a multi-directory deployment, the secondary server must be OID. The primary server can be OID or AD. For example, users can be stored in the OID or AD primary server, and roles can be stored in the OID secondary server. Enabling of disabling the referential integrity plug-in does not update the role memberships for assign or revoke operations.

24.2.76 Deployment Manager Import Fails if Data Level for Rules is Set to 1

An entry in the Oracle Identity Manager database cannot be updated if data level is set to 1. When you try to import a Deployment Manager XML, the following error is displayed:

Class/Method: tcTableDataObj/updateImplementation Error :The row cannot be updated.
[2011-04-06T07:25:36.583-05:00] [oim_server1] [ERROR] []
[XELLERATE.DDM.IMPORT] [tid: [ACTIVE].ExecuteThread: '6' for queue:
'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid:
cad00d8aeed4d8fc:-67a4db1a:12f2abbac4b:-8000-000000000000018e,0] [APP:
oim#11.1.1.3.0] The security level for this data item indicates that it cannot be updated.

To workaround this issue, open the XML file and change the data level for rules from 1 to 0, as shown:

<RUL_DATA_LEVEL>0</RUL_DATA_LEVEL>

24.2.77 Reconciliation Data Displays Attributes That Are Not Modified

In an Oracle Identity Manager deployment with LDAP synchronization enabled and Microsoft Active Directory (AD) as the directory server, the Reconciliation Data tab of the Event Management page in the Administrative and User Console displays all the attributes of the reconciled user instead of displaying only the modified attributes. This is because of the way AD changelogs are processed, in which the entire entry is marked as updated when any attribute is changed. Therefore, Oracle Virtual Directory (OVD) returns the full entry. There is no way to figure out which attribute has been modified as a result of reconciliation.

24.2.78 Benign Errors Displayed on Starting the Scheduler Service When There are Scheduled Jobs to be Recovered

When the Scheduler service is started and there are some scheduled jobs that have not been recovered, the following error might be logged in the oim_diagnostic log:

Caused by: java.lang.NullPointerException
at
org.quartz.SimpleTrigger.computeNumTimesFiredBetween(SimpleTrigger.java:800)
at org.quartz.SimpleTrigger.updateAfterMisfire(SimpleTrigger.java:514)
at
org.quartz.impl.jdbcjobstore.JobStoreSupport.doUpdateOfMisfiredTrigger(JobStor
eSupport.java:944)
at
org.quartz.impl.jdbcjobstore.JobStoreSupport.recoverMisfiredJobs(JobStoreSuppo
rt.java:898)
at
org.quartz.impl.jdbcjobstore.JobStoreSupport.recoverJobs(JobStoreSupport.java:
780)
at
org.quartz.impl.jdbcjobstore.JobStoreSupport$2.execute(JobStoreSupport.java:75
2)
at
org.quartz.impl.jdbcjobstore.JobStoreSupport$40.execute(JobStoreSupport.java:3
628)
at
org.quartz.impl.jdbcjobstore.JobStoreSupport.executeInNonManagedTXLock(JobStor
eSupport.java:3662)
at
org.quartz.impl.jdbcjobstore.JobStoreSupport.executeInNonManagedTXLock(JobStor
eSupport.java:3624)
at
org.quartz.impl.jdbcjobstore.JobStoreSupport.recoverJobs(JobStoreSupport.java:
748)
at
org.quartz.impl.jdbcjobstore.JobStoreSupport.schedulerStarted(JobStoreSupport.
java:573)

This error is benign and can be ignored because there is no loss of functionality.

In an upgrade environment, the next time when some scheduled jobs will be triggered is not defined. This results in a null input for Quartz code, which is not handled gracefully in earlier versions of Quartz. This has been fixed in Quartz version 1.6.3, and therefore, this error is not generated when you upgrade to that version of Quartz.

24.2.79 Trusted Source GTC Reconciliation Mapping Cannot Display Complete Attribute Names

When creating a trusted GTC (for example, flat file), the right-hand column under OIM User is not wide enough to display the complete names for many attributes. For example, two entries are displayed as 'LDAP Organizati', whereas the attribute names are 'LDAP Organization' and 'LDAP Organization Unit'.

To workaround this issue, click the Mapping button for the attribute. The Provide Field Information dialog box is displayed with the complete attribute name.

24.2.80 Benign Error Logged for Database Connectivity Test

When running the database connectivity test in XIMDD, the following error is logged multiple times:

<Apr 10, 2011 7:45:20 PM PDT> <Error> <Default> <J2EE JMX-46335> <MBean attribute access denied.
   MBean: oracle.logging:type=LogRegistration
   Getter for attribute Application
   Detail: Access denied. Required roles: Admin, Operator, Monitor, executing
subject: principals=[REQUEST TEMPLATE ADMINISTRATORS, SYSTEM ADMINISTRATORS, APPROVAL POLICY ADMINISTRATORS, oimusers, xelsysadm, PLUGIN ADMINISTRATORS]
java.lang.SecurityException: Access denied. Required roles: Admin, Operator, Monitor, executing subject: principals=[REQUEST TEMPLATE ADMINISTRATORS, SYSTEM ADMINISTRATORS, APPROVAL POLICY ADMINISTRATORS, oim users, xelsysadm, PLUGIN ADMINISTRATORS]

Each time the error occurs in the log, the name of the bean is different, but the error is same. In spite of these errors, the test passes. These errors are benign and can be ignored because there is no loss of functionality.

24.2.81 MDS Validation Error When Importing GTC Provider Through the Deployment Manager

An MDS validation error is generated when you import the GTC provider by using the Deployment Manager.

To workaround this issue, do not import the GTC provider through the Deployment Manager. If the Deployment Manager XML file contains tags for GTC provider, then remove it and import the rest of the XML by using the Deployment Manager. Import the XML file with the GTC provider tags separately by using the MDS import utility. To do so:

  1. If the XML file being imported through the Deployment Manager contains <GTCProvider> tags, then remove these tags along with everything under them.

    The following is an example of the original XML file to be imported:

    <?xml version = '1.0' encoding = 'UTF-8'?>
    <xl-ddm-data version="2.0.1.0" user="XELSYSADM"
    database="jdbc:oracle:thin:@localhost:5521:myps12"
    exported-date="1302888552341" description="sampleGTC"><GTCProvider
    repo-type="MDS" name="InsertIntoTargetList"
    mds-path="/db/GTC/ProviderDefinitions"
    mds-file="InsertIntoTargetListProvTransport.xml"><completeXml><Provider><Provi
    der>
       <Provisioning>
          <ProvTransportProvider
    class="provisioningTransportProvider.InsertIntoTargetList"
    name="InsertIntoTargetList">
             <Configuration>
                <Parameter datatype="String" name="targetServerName"
    type="Runtime" encrypted="NO" required="YES"/>
                <Response code="FUNCTIONALITY_NOT_SUPPORTED"
    description="Functionality not supported"/>
                <Response code="TARGET_SERVER_NAME_MISSING" description="Target
    server name is missing"/>
                <Response code="TARGET_SERVER_NAME_STARTSWITH_A"
    description="Target server name starts with A, from XML"/>
                <Response code="PROBLEM_WHILE_INITIALIZAING" description="Problem
    occured while intializing Provider instance"/>
             </Configuration>
          </ProvTransportProvider>
       </Provisioning>
    </Provider></Provider></completeXml></GTCProvider><GTCProvider
    repo-type="MDS" name="PrepareDataHMap" mds-path="/db/GTC/ProviderDefinitions"
    mds-file="PrepareDataHMapProvFormat.xml"><completeXml><Provider><Provider>
       <Provisioning>
          <ProvFormatProvider class="provisioningFormatProvider.PrepareDataHMap"
    name="PrepareDataHMap">
             <Configuration>
                <DefaultAttribute datatype="String" name="testField" size="40"
    encrypted="NO"/>
                <Response code="INCORRECT_PROCESS_DATA" description="Incorrect
    process data received from GTC provisioning framework"/>
                <Response code="PROCESSING_ISSUE" description="Processing issue
    in Preparing provisioning input, check logs"/>
             </Configuration>
          </ProvFormatProvider>
       </Provisioning>
    </Provider></Provider></completeXml></GTCProvider><GTCProvider
    repo-type="MDS" name="IsValidOrgInOIM" mds-path="/db/GTC/ProviderDefinitions"
    mds-file="IsValidOrgInOIM.xml"><completeXml><Provider><Provider>
       <Validation>
          <ValidationProvider class="validationProvider.IsValidOrgInOIM"
    name="IsValidOrgInOIM">
             <Configuration>
                <Parameter datatype="String" name="maxOrgSize"/>
             </Configuration>
          </ValidationProvider>
       </Validation>
    </Provider></Provider></completeXml></GTCProvider><GTCProvider
    repo-type="MDS" name="ConvertToUpperCase"
    mds-path="/db/GTC/ProviderDefinitions"
    mds-file="ConvertToUpperCase.xml"><completeXml><Provider><Provider>
       <Transformation>
          <TransformationProvider
    class="transformationProvider.ConvertToUpperCase" name="ConvertToUpperCase">
             <Configuration>
                <Parameter type="Runtime" datatype="String" required="YES"
    encrypted="NO" name="Input"/>
                <Response code="errorRespNullInput" description="Input String is
    Missing"/>
             </Configuration>
          </TransformationProvider>
       </Transformation>
    </Provider></Provider></completeXml></GTCProvider><Resource repo-type="RDBMS"
    name="SAMPLEGTC_GTC">....</Resource><Process repo-type="RDBMS"
    name="SAMPLEGTC_GTC">
    ...........
    </Process><Form repo-type="RDBMS" name="UD_SAMPLEGT" subtype="Process
    Form">.....
    </Form>....</xl-ddm-data>
    
  2. Import the rest of the XML file through the Deployment Manager.

    The following is the XML file after removing the <GTCProvider> tags from the original XML file. Import this XML file by using the Deployment Manager.

    <?xml version = '1.0' encoding = 'UTF-8'?>
    <xl-ddm-data version="2.0.1.0" user="XELSYSADM"
    database="jdbc:oracle:thin:@localhost:5521:myps12"
    exported-date="1302888552341" description="sampleGTC"><Resource
    repo-type="RDBMS" name="SAMPLEGTC_GTC">....</Resource><Process
    repo-type="RDBMS" name="SAMPLEGTC_GTC">
    ...........
    </Process><Form repo-type="RDBMS" name="UD_SAMPLEGT" subtype="Process
    Form">.....
    </Form>....</xl-ddm-data>
    

    The following is the removed XML content:

    <GTCProvider
    repo-type="MDS" name="InsertIntoTargetList"
    mds-path="/db/GTC/ProviderDefinitions"
    mds-file="InsertIntoTargetListProvTransport.xml"><completeXml><Provider><Provider>
       <Provisioning>
          <ProvTransportProvider
    class="provisioningTransportProvider.InsertIntoTargetList"
    name="InsertIntoTargetList">
             <Configuration>
                <Parameter datatype="String" name="targetServerName"
    type="Runtime" encrypted="NO" required="YES"/>
                <Response code="FUNCTIONALITY_NOT_SUPPORTED"
    description="Functionality not supported"/>
                <Response code="TARGET_SERVER_NAME_MISSING" description="Target
    server name is missing"/>
                <Response code="TARGET_SERVER_NAME_STARTSWITH_A"
    description="Target server name starts with A, from XML"/>
                <Response code="PROBLEM_WHILE_INITIALIZAING" description="Problem
    occured while intializing Provider instance"/>
             </Configuration>
          </ProvTransportProvider>
       </Provisioning>
    </Provider></Provider></completeXml></GTCProvider>
     
    <GTCProvider
    repo-type="MDS" name="PrepareDataHMap" mds-path="/db/GTC/ProviderDefinitions"
    mds-file="PrepareDataHMapProvFormat.xml"><completeXml><Provider><Provider>
       <Provisioning>
          <ProvFormatProvider class="provisioningFormatProvider.PrepareDataHMap"
    name="PrepareDataHMap">
             <Configuration>
                <DefaultAttribute datatype="String" name="testField" size="40"
    encrypted="NO"/>
                <Response code="INCORRECT_PROCESS_DATA" description="Incorrect
    process data received from GTC provisioning framework"/>
                <Response code="PROCESSING_ISSUE" description="Processing issue
    in Preparing provisioning input, check logs"/>
             </Configuration>
          </ProvFormatProvider>
       </Provisioning>
    </Provider></Provider></completeXml></GTCProvider>
     
    <GTCProvider
    repo-type="MDS" name="IsValidOrgInOIM" mds-path="/db/GTC/ProviderDefinitions"
    mds-file="IsValidOrgInOIM.xml"><completeXml><Provider><Provider>
       <Validation>
          <ValidationProvider class="validationProvider.IsValidOrgInOIM"
    name="IsValidOrgInOIM">
             <Configuration>
                <Parameter datatype="String" name="maxOrgSize"/>
             </Configuration>
          </ValidationProvider>
       </Validation>
    </Provider></Provider></completeXml></GTCProvider>
     
    <GTCProvider
    repo-type="MDS" name="ConvertToUpperCase"
    mds-path="/db/GTC/ProviderDefinitions"
    mds-file="ConvertToUpperCase.xml"><completeXml><Provider><Provider>
       <Transformation>
          <TransformationProvider
    class="transformationProvider.ConvertToUpperCase" name="ConvertToUpperCase">
             <Configuration>
                <Parameter type="Runtime" datatype="String" required="YES"
    encrypted="NO" name="Input"/>
                <Response code="errorRespNullInput" description="Input String is
    Missing"/>
             </Configuration>
          </TransformationProvider>
       </Transformation>
    </Provider></Provider></completeXml></GTCProvider>
    
  3. Separate the removed XML content based on the <GTCProvier> tags. The following is an example of the first <GTCProvider> tag:

    <GTCProvider repo-type="MDS" name="InsertIntoTargetList"
    mds-path="/db/GTC/ProviderDefinitions"
    mds-file="InsertIntoTargetListProvTransport.xml"><completeXml><Provider><Provi
    der>
       <Provisioning>
          <ProvTransportProvider
    class="provisioningTransportProvider.InsertIntoTargetList"
    name="InsertIntoTargetList">
             <Configuration>
                <Parameter datatype="String" name="targetServerName"
    type="Runtime" encrypted="NO" required="YES"/>
                <Response code="FUNCTIONALITY_NOT_SUPPORTED"
    description="Functionality not supported"/>
                <Response code="TARGET_SERVER_NAME_MISSING" description="Target
    server name is missing"/>
                <Response code="TARGET_SERVER_NAME_STARTSWITH_A"
    description="Target server name starts with A, from XML"/>
                <Response code="PROBLEM_WHILE_INITIALIZAING" description="Problem
    occured while intializing Provider instance"/>
             </Configuration>
          </ProvTransportProvider>
       </Provisioning>
    </Provider></Provider></completeXml></GTCProvider>
    Resultant xml after removal of tags surronding inner <Provider> tag:
    <Provider>
       <Provisioning>
          <ProvTransportProvider
    class="provisioningTransportProvider.InsertIntoTargetList"
    name="InsertIntoTargetList">
             <Configuration>
                <Parameter datatype="String" name="targetServerName"
    type="Runtime" encrypted="NO" required="YES"/>
                <Response code="FUNCTIONALITY_NOT_SUPPORTED"
    description="Functionality not supported"/>
                <Response code="TARGET_SERVER_NAME_MISSING" description="Target
    server name is missing"/>
                <Response code="TARGET_SERVER_NAME_STARTSWITH_A"
    description="Target server name starts with A, from XML"/>
                <Response code="PROBLEM_WHILE_INITIALIZAING" description="Problem
    occured while intializing Provider instance"/>
             </Configuration>
          </ProvTransportProvider>
       </Provisioning>
    </Provider>
    
  4. From the removed <GTCProvider> tags, remove everything surrounding the inner <Provider> tag. In other words, keep the content inside the inner <Provider> tag. For each <Provider> tag, create a separate XML file. This results in multiple XML files with each <Provider> tag as the root element.

    The following is the resultant XML content after removal of tags surrounding the inner <Provider> tag:

    <Provider>
       <Provisioning>
          <ProvTransportProvider
    class="provisioningTransportProvider.InsertIntoTargetList" name="InsertIntoTargetList">
             <Configuration>
                <Parameter datatype="String" name="targetServerName" type="Runtime" encrypted="NO" required="YES"/>
                <Response code="FUNCTIONALITY_NOT_SUPPORTED" description="Functionality not supported"/>
                <Response code="TARGET_SERVER_NAME_MISSING" description="Target server name is missing"/>
                <Response code="TARGET_SERVER_NAME_STARTSWITH_A" description="Target server name starts with A, from XML"/>
                <Response code="PROBLEM_WHILE_INITIALIZAING" description="Problem occured while intializing Provider instance"/>
             </Configuration>
          </ProvTransportProvider>
       </Provisioning>
    </Provider>
    
  5. Name the resultant XML files, which have the <Provider> tag as the root element, with the mds-file attribute value from the <GTCProvider> tag. For example, name the first XML file with the first <GTCProvider> tag as InsertIntoTargetListProvTransport.xml. The file name must be the value of the mds-file attribute.

  6. Similarly, create other GTC provider XML files. There must be one XML file for each <GTCProvider> tag.

  7. Import the GTC Provider XML files by using the MDS utility.

24.2.82 Encrypted User-Defined Field (UDF) Cannot be Stored with Size of 4000 Characters or More

An encrypted UDF cannot be stored with size of 4000 characters or more. This is because encryption automatically increases the column width by 1.5 times approximately, and the size of the attribute exceeds the maximum allowable width of 4000. As a result, the UDF is automatically type-promoted to a CLOB data type. Oracle Identity Manager 11g Release 1 (11.1.1) does not intercept this as an exception and might subsequently show errors. This is likely to be addressed in the next patch release.

However, an encrypted attribute that does not exceed the final width of 4000 characters can be stored. The specified width must factor in the increment of 1.5 times, which means that it must not exceed approximately 2500 characters.

24.2.83 Request Approval Fails With Callback Service Failure

In an environment where SSL is enabled in the OAAM server but not in Oracle Identity Manager and SOA server, when you create a request, the request-level approval is successful on the SOA side, but the operational-level approval is not displayed anywhere in the UI. When the SOA composite that provides approval workflow for the Oracle Identity Manager request tries to invoke the request callback Web service to indicate whether the workflow is approved or rejected, the Web service invocation fails with the following error:

Unable to dispatch request to
http://slc402354.us.oracle.com:14000/workflowservice/CallbackService due to exception[[
javax.xml.ws.WebServiceException:
oracle.fabric.common.PolicyEnforcementException: PolicySet Invalid: WSM-06162
PolicyReference The policy referenced by URI
"oracle/wss11_saml_token_with_message_protection_client_policy" could not be
retrieved as connection to Policy Manager cannot be established at
"t3s://slc402354:14301" due to invalid configuration or inactive state.

The error indicates that OWSM is not able to connect to the Policy Manager on the specified port. This port is for the OAAM server in SSL mode, which is shut down. The issue occurs because SSL is enabled in the OAAM server but not on Oracle Identity Manager and SOA server, and the Policy Manager is also targeted on that server. If there is an SSL-enabled Policy Manager, then OWSM does not use the non-SSL ports anymore. In this setup, SSL is enabled only for OAAM and not for others. Therefore, the only usable WSM Policy Manager is on OAAM. Because the OAAM server is down, the connection to the Policy Manager is not established, and as a result, the call fails.

To workaround this issue, start the OAAM server and then create the request.

Note:

This issue does not occur if:
  • OAAM server is not SSL-enabled.

  • SSL is enabled on any other server that is up and running, such as Oracle Identity Manager or SOA server.

24.2.84 Localized Display Name is Not Reconciled Via User/Role Incremental Reconciliation with iPlanet Directory Server

In an Oracle Identity Manager deployment with LDAP synchronization enabled in which iPlanet is the directory server, the following issues occur:

  • The localized Display Name is not reconciled into Oracle Identity Manager via user/role incremental reconciliation.

  • The localized value of the Display Name attribute is returned to Oracle Identity Manager, but the original base value of Display Name is lost and is replaced by the localized value that is received from iPlanet.

24.2.85 LDAP Role Hierarchy and Role Membership Reconciliation With Non-ASCII Characters Does Not Reconcile Changes in Oracle Identity Manager

LDAP role hierarchy and role membership reconciliation jobs with non-ASCII characters do not bring in role hierarchy and role membership changes into Oracle Identity Manager. This issue is applicable to incremental reconciliation only.

24.2.86 Import of Objects Fails When All Objects Are Selected for Export

In an upgraded environment of Oracle Identity Manager 11g Release 1 (11.1.1), the import of objects can fail when you select the Select All option to export the objects. When you select all the objects to be exported, the corresponding XML file grows in size. If it exceeds 2.5 million records, then it does not remain valid. As a result, the import fails. However, selecting all objects works if the data is small and the generated XML file does not exceed 2.5 million records.

To workaround this issue, select the objects to be exported in smaller logical units. For example, if there are 20 resource objects in the system, then select four or five resource objects with all dependencies and children objects in a XML file, and export. Then select another five resource objects into a new XML file. Similarly, for all other objects, such as GTC or adapters, export in small logical units in separate XML files. Examples of logical unit grouping are:

  • Resource objects, process definition forms, adapters, IT resources, lookup definitions, and roles

  • Organizations, attestation, and password policies

  • Access policies and rules

  • GTC and resource objects

24.2.87 Benign Audit Errors Logged After Upgrade

After upgrading from Oracle Identity Manager Release 9.1.0 to 11g Release 1 (11.1.1), audit errors are logged. An example of such an audit error is:

IAM-0050001
oracle.iam.platform.async.TaskExecutionException: java.lang.Exception: Audit
handler failed
at com.thortech.xl.audit.engine.jms.XLAuditMessage.execute(XLAuditMessage.java:59)

These errors are benign and can be ignored because there is no loss of functionality.

24.2.88 Connector Upgrade Fails if Existing Data is Bigger in Size Than New Column Length

In the current release of some connectors, the sizes of some process form fields have been reduced. For example, the length of the UD_ADUSER_MNAME field in the Microsoft Active Directory connector release 9.1.1.5 has been reduced to 6 characters from 80 characters in release 9.0.4.16 of the connector. The length of the existing data in these columns or fields are already bigger in size than the new column length. As a result, the connector upgrade fails, and the following error is logged:

<Apr 16, 2011 4:52:37 PM GMT+05:30> <Error> <XELLERATE.DATABASE> <BEA-000000>
<ALTER TABLE UD_ADUSER MODIFY UD_ADUSER_MNAME VARCHAR2(6) java.sql.SQLException: ORA-01441: cannot decrease column length because some value is too big

To workaround this issue:

  1. Make sure that you create a backup of the database.

  2. Restore the backed up database.

  3. Check the logs to locate the 'ORA-01441: cannot decrease column length because some value is too big' exception. Note the form field name, such as UD_ADUSER_MNAME.

  4. Open the Deployment Manager XML file that you are using for upgrade. Search for the form field in the <SDC_SQL_LENGTH> tag, and change the length to the base version length. You can get the base version length in the Deployment Manager XML of the base connector.

  5. Retry the upgrade.

24.2.89 Connector Artifacts Count Increases in the Deployment Manager When File is Not Imported

When you upgrade a connector, map the connector artifacts between the base and latest versions, select the connector objects to be upgraded, and exit the upgrade without importing the objects by using the Deployment Manager, the connector artifacts count in the left panel displays more than the actual count. When this process is repeated, the artifacts count continues increasing. This is a known issue, and there is no loss of functionality.

24.2.90 Uploading JAR Files By Using the Upload JAR Utility Fails

When SSL is enabled for Oracle Identity Manager, uploading the JAR files by using the Upload JAR utility fails with the following error:

Error occurred in performing the operation:
Exception in thread "main" java.lang.NullPointerException at oracle.iam.platformservice.utils.JarUploadUtility.main(JarUploadUtility.java:229)

With SSL enabled in Oracle Identity Manager, the server URL must contain the exact host name or IP address. If localhost is used as the host name, then the error is generated.

To workaround this issue, use the exact server URL.

24.2.91 Oracle Identity Manager Data and MT Upgrade Fails Because Change of Database User Password

If you are NOT upgrading the original Oracle Identity Manager Release 9.x database, but choose to export/import to a new database, then you must make sure that the database connection setting, schema name, and password in the OIM_HOME/xellerate/config/xlconfig.xml file used for the upgrade is correct.

To workaround this issue, change the Oracle Identity Manager database information in the xlconfig.xml file. You must create a backup of this file before updating it. To update the file with the new database information, modify the information of the loaction where the database has been imported in the <URL>, <username>, and <Password ...> tags, as shown:

<DirectDB>
<driver>oracle.jdbc.driver.OracleDriver</driver>
<url>jdbc:oracle:thin:@localhost:1522:oimdb</url>
<username>oimadm</username>
<password encrypted="false"><NEW_PASSWORD_FOR_OIM_DB_USER></password>
<maxconnections>5</maxconnections>
<idletimeout>360</idletimeout>
<checkouttimeout>1200</checkouttimeout>
<maxcheckout>1000</maxcheckout>
</DirectDB>

24.2.92 Reverting Unsaved UDFs Are Not Supported in the Administration Details Page for Roles and Organizations

The Administration Details pages for roles and organizations in the Administrative and User Console do not support reverting unsaved UDF attribute values. Therefore, if you modify the UDF attribute values for a role or organization and then do not want to save the changes to these attributes, then perform one of the following:

  • Close the tab with the modified role or organization. A warning message is displayed asking if you want to continue. Clicking Yes cancels all unsaved changes.

  • You can manually edit the modified attributes to their original state. Saving the entity applies any other desired changes made.

24.2.93 Resources Provisioned to User Without Checking Changes in User Status After Request is Submitted

After submission of a request, if the user associated with the request, such as beneficiary, requester, or approver, is disabled or deleted, then the resources are provisioned to the user without checking for user status, such as Disabled or Deleted, after the request is approved.

24.2.94 Config.sh Command Fails When JRockit is Installed With Data Samples and Source

When you install jrockit-jdk1.6.0_24-R28.1.3-4.0.1-linux-x64.bin with demo samples and source, and install Oracle WebLogic Server using wls1035_generic.jar on a Linux 64-bit computer, and run Oracle Identity Manager configuration wizard by running the config.sh command from the $ORACLE_HOME/bin/ directory, the Oracle universal installer does not start and the following error message is displayed:

config.sh: line 162:  9855 Segmentation fault $INSTALLER_DIR/runInstaller-weblogicConfig ORACLE_HOME="$ORACLE_HOME" -invPtrLoc$ORACLE_HOME/oraInst.loc -oneclick $COMMANDLINE -Doracle.config.mode=true

24.2.95 Unexpected Memory Usage in Oracle Identity Manager 11g Release 1(11.1.1)

On running scheduled tasks that perform user orchestration in bulk, such as EndDateSchedulerTask and StartDateSchedulerTask, Oracle Identity Manager 11g Release 1 (11.1.1) might consume large memory space. This can cause Out of Memory issues.

This is a known issue, and a workaround is not available for this in the current release.

24.2.96 Reports Link No Longer Exists in the Administrative and User Console

Under the Administration tab of the Advanced Administration in the Administrative and User Console, the Reports link to generate BI Publisher Reports has been removed, even though BIP has been selected while installing Oracle Identity Manager.

24.2.97 Not Allowing to Delete a Role Whose Assigned User Members are Deleted

If the user members of a role have been deleted before revoking the role memberships, then the role cannot be deleted. Therefore, you must revoke the user role memberships that have been explicitly assigned before deleting the user.

24.2.98 Roles and Organizations Do Not Support String UDFs of Password Type

Creating a String UDF of password type for roles and organizations is not supported. If you try to create such a UDF, then the Administrative and User Console does not allow you create roles and organizations.

24.2.99 Manage Localizations Dialog Box Does Not Open After Modifying Roles

After a role is modified, the Manage Localizations dialog box is not opening on clicking the Manage Localizations button in the role details page.

To open the Manage Localizations dialog box after modifying a role, close the role details page and open it again.

24.2.100 Not Allowing to Create User With Language-Specific Display Name Values

In an Oracle Identity Manager deployment with Microsoft Active Directory (AD) as the LDAP server, localized display name values are supported when you specify the oimLanguage parameter values in the UserManagement plugin adapter for AD via OVD. However, a user cannot be created when a language-specific value for the Display Name attribute is specified in Canadian French or Latin American Spanish, even if these languages have been specified in oimLanguage. In addition, when you create a user without language-specific Display Name, and then modify the user to add Canadian French or Latin American Spanish Display Name values, the same issue persists.

24.2.101 SoD Check Results Not Displayed for Requests Created by Users for the PeopleSoft Resource

SoD check results are not displayed for the requests created by users for the PeopleSoft (PSFT) resource.

To workaround this issue:

  1. Open the PSFT connector XML file.

  2. Under the <ITResource name = "PSFT Server"> tag, add the following:

    <ITResourceAdministrator>
        <SUG_READ>1</SUG_READ>
        <SUG_UPDATE>1296129050000</SUG_UPDATE>
        <UGP_KEY UserGroup = "ALL USERS"/>
    </ITResourceAdministrator>
    
  3. Save the PSFT connector XML file.

  4. Manually add or assign the ALL USERS role with Read permission to the PSFT Server IT resource.

24.2.102 The XL.UnlockAfter System Property and the Automatically Unlock User Scheduled Job Do Not Take Effect

The XL.UnlockAfter system property determines the unlock time for the locked user accounts after the specified time. If the user account is locked because of the maximum login attempt failure with invalid credentials, then the account is automatically unlocked after the time (in minutes) as configured in the XL.UnlockAfter system property. By default, the value of this system property is 0, which implies that the locked user is never unlocked automatically.

The Automatically Unlock User scheduled job is responsible for unlocking such users. This scheduled job is configured to run after every 24 hours (1 day).

Therefore, even after the maximum time of Oracle WebLogic lockout threshold and expiry of the time specified for the XL.UnlockAfter system property, the locked users might not be able to login unless the Automatically Unlock User scheduled job is run.

If you are changing the default value of the XL.UnlockAfter system property, then it is recommended to change the frequency of the Automatically Unlock User scheduled task so that both the values are in sync. This ensures that the scheduled task gets triggered at the appropriate interval, and the users are unlocked successfully and are able to login in to Oracle Identity Manager.

24.2.103 Resetting Password on Account Lockout Does Not Unlock User

In a Oracle Identity Manager deployment with LDAP synchronization enabled and integrated with Oracle Access Manager (OAM), a user is locked on entering incorrect password more than the maximum allowed limit. However, the user is not allowed to unlock by resetting the password until after reconciliation is run.

24.2.104 Incremental and Full Reconciliation Jobs Cannot Be Run Together

Both incremental and full reconciliation jobs cannot be run at the same time. Incremental reconciliation jobs are enabled and run in periodic intervals of 5 minutes. At the same time, when full reconciliation job is run, an error is generated.

To workaround this issue, if full reconciliation needs to be run, then disable the incremental reconciliation jobs before running the full reconciliation jobs. After full reconciliation completes successfully, re-enable the incremental reconciliation jobs.

24.2.105 Incorrect Content in the ScheduleTask Jars Loaded and Third Party Jars Tables in the MT Upgrade Report

When Oracle Identity Manager release 9.1.x is upgraded to Oracle Identity Manager 11g Release 1 (11.1.1), the contents of the ScheduleTask Jars Loaded and Third Party Jars tables in the CRBUpgradeReport.html page generated by MT upgrade are not correct. The original scheduled task JARs are not displayed in the ScheduleTask Jars Loaded table. Therefore, you must run the SQL query query to know the scheduled task JARs. In addition, the third-party JARs are incorrectly placed in the ScheduleTask Jars Loaded table.

However, this does not result in any loss of functionality.

24.2.106 Scroll Bar Not Available on the Select Connector Objects to Be Upgraded Page of the Connector Management - Upgrading Wizard

If the Connector Management - Upgrading wizard is opened by using Microsoft Internet Explorer, then all the fields and buttons on the Step 13: Select Connector Objects to Be Upgraded page might not be visible. There is no scroll bar available in this page. Therefore, maximize the window to display all the controls in the page.

24.2.107 Adapter Import Might Display Adapter Logic if Compilation Fails Because of Incorrect Data

If you import a process task adapter by using the Design Console and the adapter compilation fails because of incorrect data, then the error displays the entire code for the adapter.

This is a known issue, and a workaround is not available for this in the current release.

24.2.108 XIMDD Tests Fail in Oracle Identity Manager

After you deploy the Diagnostic Dashboard in Oracle Identity Manager, failures are encountered when you perform the following tests:

  • Test OWSM setup by submitting a request with OWSM header information

  • Test SPML to Oracle Identity Manager request invocation

The failures might occur because the Diagnostic Dashboard is not capable of performing tests when the wss1_saml_or_username_token_policy is attached to the SPML XSD Web services.

To workaround this issue, set the Web service to use the XIMDD supported policy. To configure the policies for the SPML XSD Web service:

  1. Login to Fusion Middleware Control.

  2. Navigate to Application Deployments, spml-xsd.

  3. For a clustered deployment of Oracle Identity Manager, expand and select a node.

  4. From the Application Deployment menu, select Web Services.

  5. Click the Web Service Endpoint tab, and then click the SPMLServiceProviderSOAP link.

  6. Click the Policies tab, and then click Attach/Detach.

  7. Detach the default policy: oracle/wss11_saml_or_username_token_with_message_protection_service_policy.

  8. Under Available Policies, select oracle/wss_username_token_service_policy. Otherwise, select the SSL version of the same policy if SSL is in use.

  9. Click Attach, and then click OK.

  10. For a clustered deployment of Oracle Identity Manager, repeat step 3 through step 9 for each managed node listed for SPML XSD.

  11. Restart the application servers.

24.3 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

24.3.1 Configuring UDFs to be Searchable for Microsoft Active Directory Connectors

A Microsoft Active Directory connector installation automatically creates a UDF: USR_UDF_OBGUID. When you add a new user-defined field (UDF), the "searchable" property will be false by default unless you provide a value for that property. After installing an Active Directory connector, you must perform the following steps to make the user-defined field searchable:

  1. Using the Advanced Administration console (user interface), change the "searchable" UDF property to true by performing the following steps:

    1. Click the Advanced tab.

    2. Select User Configuration and then User Attributes.

    3. Modify the USR_UDF_OBGUID attribute in the Custom Attributes section by changing the "searchable" property to true.

  2. Using the Identity Administration console (user interface), create a new Oracle Entitlement Server policy that allows searching the UDF by performing the following steps:

    1. Click the Administration tab and open the Create Authorization policy.

    2. Enter a Policy Name, Description, and Entity Name as User Management.

    3. Select Permission, then View User Details, and then Search User.

    4. Edit the Attributes for View User Details and select all of the attributes.

    5. Select the SYSTEM ADMINSTRATOR role name.

    6. Click Finish.

24.3.2 Creating or Modifying Role Names When LDAP Synchronization is Enabled

When LDAP synchronization is enabled and you attempt to create or modify a role, entering a role name comprised of approximately 1,000 characters prevents the role from being created or modified and causes a Decoding Error to appear. To work around this issue, use role names comprised of fewer characters.

24.3.3 ADF Issue Causes Oracle Identity Manager to Fail on the Sun JDK

Due to an ADF issue, using the Oracle Identity Manager application with the Sun JDK causes a StringIndexOutOfBoundsException error. To work around this issue, add the following option to the DOMAIN_HOME/bin/setSOADomainEnv.sh or the setSOADomainEnv.cmd file:

  1. Open the DOMAIN_HOME/bin/setSOADomainEnv.sh or setSOADomainEnv.cmd file.

  2. Add the -XX:-UseSSE42Intrinsics line to the JVM options.

  3. Save the setSOADomainEnv.sh or setSOADomainEnv.cmd file.

    Note:

    This error does not occur when you use JRockit.

24.3.4 Nexaweb Applet Does Not Load In an Oracle Identity Manager and Oracle Access Manager Integrated Environment

In an Oracle Identity Manager and Oracle Access Manager (OAM) integrated environment, when you login to the Oracle Identity Manager Administrative and User Console and click a link that opens the Nexaweb applet, the applet does not load.

To workaround this issue, configure loading of the NexaWeb Applet in an Oracle Identity Manager and OAM integrated environment. To do so:

  1. Login to the Oracle Access Manager Console.

  2. Create a new Webgate ID. To do so:

    1. Click the System Configuration tab.

    2. Click 10Webgates, and then click the Create icon.

    3. Specify values for the following attributes:

      Name: NAME_OF_NEW_WEBGATE_ID

      Access Client Password: PASSWORD_FOR_ACCESSING_CLIENT

      Host Identifier: IDMDomain

    4. Click Apply.

    5. Edit the Webgate ID, as shown:

      set 'Logout URL' = /oamsso/logout.html

    6. Deselect the Deny On Not Protected checkbox.

  3. Install a second Oracle HTTP Server (OHS) and Webgate. During Webgate configurations, when prompted for Webgate ID and password, use the Webgate ID name and password for the second Webgate that you provided in step 2c.

  4. Login to the Oracle Access Manager Console. In the Policy Configuration tab, expand Application Domains, and open IdMDomainAgent.

  5. Expand Authentication Policies, and open Public Policy. Remove the following URLs in the Resources tab:

    /xlWebApp/.../*

    /xlWebApp

    /Nexaweb/.../*

    /Nexaweb

  6. Expand Authorization Policies, and open Protected Resource Policy. Remove the following URLs in the Resources tab:

    /xlWebApp/.../*

    /xlWebApp

    /Nexaweb/.../*

    /Nexaweb

  7. Restart all the servers.

  8. Update the obAccessClient.xml file in the second Webgate. To do so:

    1. Create a backup of the SECOND_WEBGATE_HOME/access/oblix/lib/ObAccessClient.xml file.

    2. Open the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file.

      Note:

      Ensure that the DenyOnNotProtected parameter is set to 0.
    3. Copy the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file to the SECOND_WEBGATE_HOME/access/oblix/lib/ directory.

  9. Copy the mod_wls_ohs.conf from the FIRST_OHS_INSTANCE_HOME/config/OHS_NAME/directory to the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/ directory. Then, open the mod_wls_host.conf of the second OHS to ensure the WebLogicHost and WeblogicPort are still pointing to Oracle Identity Manager managed server host and port.

  10. Remove or comment out the following lines in the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/httpd.conf file:

    <LocationMatch "/oamsso/*">
       Satisfy any
    </LocationMatch>
    
  11. Copy the logout.html file from the FIRST_WEBGATE_HOME/access/oamsso/ directory to the SECOND_WEBGATE_HOME/access/oamsso/ directory. Then, open the logout.html file of the second Webgate to ensure that the host and port setting of the SERVER_LOGOUTURL variable are pointing to the correct OAM host and port.

  12. Login to Oracle Access Manager Console. In the Policy Configuration tab, expand Host Identifiers, and open the host identifier that has the same name as the second Webgate ID name. In the Operations section, verify that the host and port for the second OHS are listed. If not, then click the add icon (+ sign) to add them. Then, click Apply.

  13. Use the second OHS host and port in the URL for the OAM login page for Oracle Identity Manager. The URL must be in the following format:

    http://SECOND_OHS_HOST:SECOND_OHS_PORT/admin/faces/pages/Admin.jspx

24.3.5 Packing a Domain With managed=false Option

When a domain is packed with the managed=false option and unpacked on the another computer, Oracle Identity Manager Authentication Provider is not recognized by WebLogic and basic administrator authentication fails when the Oracle Identity Manager managed server is started.

The following workaround can be applied for performing successful authentication via Oracle Identity Manager Authentication Provider:

  1. Login in to the Oracle WebLogic Administrative Console by using the following URL:

    http://HOST_NAME:ADMIN_PORT/console

  2. Navigate to Security Realms, Realm(myrealm), and then to Providers.

  3. Delete OIMAuthenticationProvider.

    Note:

    Make sure that you note the provider-specific details, such as the database URL, password, and driver, before deleting the provider.
  4. Restart the WebLogic Administrative Server.

  5. Navigate to Security Realms, Realm(myrealm), and then to Providers.

  6. Create a new Authentication Provider of type OIMAuthenticationProvider.

  7. Enter the provider specific details and mark the control flag as SUFFICIENT.

  8. Restart the WebLogic Administrative Server.

  9. Restart Oracle Identity Manager and other servers, if any.

24.3.6 Option Not Available to Specify if Design Console is SSL-Enabled

While configuring Oracle Identity Manager Design Console, you cannot specify if Design Console is SSL-enabled.

To workaround this issue after installing Oracle Identity Manager Design Console, edit the OIM_HOME/designconsole/config/xlconfig.xml file to change the protocol in the Oracle Identity Manager URL from t3 to t3s.

24.3.7 Nexaweb Applet Does Not Load in JDK 1.6.0_20

Deployment Manager and Workflow Visualizer might not work if the client browser has JDK/JRE installed on it whose version is 1.6.0_20. To workaround this issue, uninstall the JDK/JRE version 1.6.0_20 from the client browser and reinstall the JDK/JRE version 1.6.0_15.

24.3.8 Oracle Identity Manager and Design Console Must be Installed in Different Directory Paths

Oracle recommends to install Oracle Identity Manager and the Design Console in different directory paths.

24.4 Multi-Language Support Issues and Limitations

This section describes multi-language issues and limitations. It includes the following topics:

24.4.1 Multi-language Valued Attributes in SPML and Oracle Identity Manager Do Not Match

Oracle Identity Manager supports only the Display Name attribute for multi-language values. SPML specifies additional attributes, such as commonName and surname, as multi-language valued in the PSO schema. When multiple locale-values are specified in an SPML request for one of these attributes, only a single value is picked and passed to Oracle Identity Manager. The request will not fail and a warning message identifying the attributes and the value that was passed to Oracle Identity Manager is provided in the response.

24.4.2 Login Names with Some Special Characters May Fail to Register

In Oracle Identity Manager, the user login name is case-insensitive. When a user is created, the login name is converted to upper case and saved in the database. But the password is always case-sensitive. However, some special characters may encounter an error while registering to Oracle Identity Manager:

  • Both the Greek characters &#963; (sigma) and &#962; (final sigma) maps to the &#931; character.

  • Both English character i and Turkish character &#305; maps to the I character.

  • Both German character ß and English string SS maps to the SS string.

This means that two user login names containing these special characters when the other characters in the login names are same cannot be created. For example, the user login names Johnß and JohnSS maps to the same user login name. If Johnß already exists, then creation of JohnSS is not allowed because both the ß character and the SS string maps to the SS string.

24.4.3 The Create Role, Modify Role, and Delete Role Request Templates are Not Available for Selection in the Request Templates List

The Create Role, Modify Role, and Delete Role request templates are not available in the Request Templates list of the Create Request wizard. This is because request creation by using any request template that are based on the Create Role, Modify Role, and Delete Role request models are supported from the APIs, but not in the UI. However, you can search for these request templates in the Request Templates tab. In addition, the Create Role, Modify Role, and Delete Role request models can be used to create approval policies and new request templates.

24.4.4 Parameter Names and Values for Scheduled Jobs are Not Translated

In the Create Job page of Oracle Identity Manager Advanced Administration, the fields in the Parameter section and their values are not translated. The parameter field names and values are available only in English.

24.4.5 Bidirectional Issues for Legacy User Interface

The following are known issues in the legacy user interface, also known as TransUI, contained in the xlWebApp war file:

  • Hebrew bidirectional is not supported

  • Workflow designer bidirectional is not supported for Arabic and Hebrew

24.4.6 Localization of Role Names, Role Categories, and Role Descriptions Not Supported

Localization of role names, categories, and descriptions is not supported in this release.

24.4.7 Localization of Task Names in Provisioning Task Table Not Supported

All Task Name values in the Provisioning Task table list are hard-coded and these pre-defined process task names are not localized.

24.4.8 Localization of Search Results of Scheduled Tasks Not Supported

When you search Scheduler Tasks using a Simple or Advanced search, the search results are not localized.

24.4.9 Searching for User Login Names Containing Certain Turkish Characters Causes an Error

On the Task Approval Search page, if you select "View Tasks Assigned To", then "Users You Manage", and then choose a user whose login name contains a Turkish Undotted "&#305" or a Turkish dotted "&#304" character, a User Not Found error will result.

24.4.10 Localization of Notification Template List Values for Available Data Not Supported

Localizing Notification Template Available Data list values is not supported in this release. Oracle Identity Manager depends upon the Velocity framework to merge tokens with actual values, and Velocity framework does not allow a space in token names.

24.4.11 Searching for Entity Names Containing German "ß" (Beta) Character Fails in Some Features

When you search for entity names containing the special German "ß" (beta) character from the Admin Console, the search fails in the following features:

  • System Configuration

  • Request Template

  • Approve Policy

  • Notification

In these features, the "ß" character matches to "ss" instead of itself. Consequently, the Search function cannot find entity names that contain the German beta character.

24.4.12 Special Asterisk (*) Character Not Supported

Although special characters are supported in Oracle Identity Manager, using the asterisk character (*) can cause some issues. You are advised not to use the asterisk character when creating or modifying user roles and organizations.

24.4.13 Translated Error Messages Are Not Displayed in UI

Oracle Identity Manager does not support custom resource bundles for Error Message display in user interfaces. Currently, there is no workaround for this issue.

24.4.14 Reconciliation Table Data Strings are Hard-coded on Reconciliation Event Detail Page

Some of the table data strings on the Reconciliation Event Detail page are hard-coded, customized field names. These strings are not localized.

24.4.15 Translated Password Policy Strings May Exceed the Limit in the Background Pane

Included as per bug# 9539501

The password policy help description may run beyond the colored box in some languages and when the string is too long. Currently, there is no workaround for this issue.

24.4.16 Date Format Validation Error in Bi-Directional Languages

When Job Detail page is opened in bi-directional languages, you cannot navigate away from this page because of "Date Format Validation Error". To work around this issue, select a value for the "Start Date" using the date-time control and then move to another page.

24.4.17 Mistranslation on the Create Job page

On the Japanese locale (LANG=ja_JP.UTF-8), "Fourth Wednesday" is mistranslated as "Fourth Friday" on the Create Job page when "Cron" is selected as the Schedule Type and "Monthly on given weekdays" is selected as the Recurring Interval.

24.4.18 E-mail Notification for Password Expiration Cannot Be Created With Arabic Language Setting

When the server locale is set to ar_AE.utf8 and values for user.language and user.region system properties are ar and AE respectively, if you create a password expiration warning e-mail notification in the Design Console, the value AE is not available for selection in the Region field. As a result, the email notification message cannot be created.

To workaround this issue:

  1. Open the Lookup Definitions form in the Design Console.

  2. Search for 'Global.Lookup.Region'.

  3. Add an entry with Code key and Decode value as 'AE'. You can now create an e-mail definition with language ar and region AE.

24.4.19 Translated Justification is Not Displayed in Access Policy-Based Resource Provisioning Request Detail

When an access policy with approval is created, it generates a resource provisioning request that is subject to approval. In the request details page in Self Service or Advanced Administration, the translated request justification according to the locale setting by the user is not displayed. The justification is displayed in the default server locale.

24.4.20 Additional Single Quotes Displayed in GTC Reconciliation Mapping Page for French UI

When you set the Oracle Identity Manager Administrative and User Console locale to French, select the Provisioning and Reconciliation checkboxes while creating a Generic Technology Connector (GTC), and map the reconciliation fields in the page for modifying mapping fields, a message is displayed with two single quotes. You can ignore the single quotes because this is benign and has no effect on functionality.

24.4.21 Not Allowing to Enter Design Console Password When Server Locale is Set to Simple Chinese, Traditional Chinese, Japanese, or Korean

When you set the server locale to Simple Chinese, Traditional Chinese, Japanese, or Korean, and start the Design Console, you are not allowed to enter the password to login to the Design Console.

To workaround this issue:

  1. Kill all scim processes. To do so, run the following command:

    kill `pgrep scim`
    
  2. Edit the scim config file. To do so:

    1. Search for the following line:

      /FrontEnd/X11/Dynamic = ......

    2. Enter true as the value, as shown:

      /FrontEnd/X11/Dynamic = true

      Note:

      If this line does not exist, then enter:

      /Frontend/X11/Dynamic = true

    3. Save the file.

  3. Log out of the VNC viewer.

  4. Restart the VNC server and log in again. You can now enter the password for the Design Console.

24.4.22 Bidirectional Text Not Supported in Nexaweb Pages

The Nexaweb pages that open from the Oracle Identity Manager Administrative and User Console do not support bidirectional text. For example, when you select any of the languages that are written from right to left, such as Arabic or Hebrew, and click Install Connector on the Welcome page, search for a connector, click Upgrade, and then proceed to step 13 of the Connector Upgrade wizard, the text in the page is not displayed from right to left.

24.4.23 Do Not Modify Oracle Identity Manager Predefined System Properties in Non-English Locale

When the user preference language for the Administrative and User Console is not English, and you update the value of a predefined system property in Oracle Identity Manager, translated property name and keyword are written in the PTY table. Therefore, on searching for system properties in the Administrative and User Console, this system property is not found.

24.4.24 Error Generated When Translated String for System Property Name Exceeds Maximum Allowed Length in PTY_NAME Column

When you try to set the value of a system property in a Western language UI, such as French, and if the translation string length exceeds the maximum allowed length, which is 80 characters, in the PTY_NAME column of the PTY table, then an error is generated.

24.4.25 Password Notification is Not Sent if User Login Contains Special Characters

For a user entity created with valid e-mail address in LDAP, if the User Login contains the German beta character, then the notification message is not sent on running LDAP user create/update full reconciliation.

24.4.26 Reset Password Fails if User Login Contains Lowercase Special Characters

In a Oracle Identity Manage deployment with LDAP synchronization enabled, if the User Login contains special characters such as Turkis dotted I, dotless i, German beta, and Greek sigma in lowercase format, then the reset password does not work.

To workaround this issue, use uppercase User Login to reset password because User Login is not case-sensitive in Oracle Identity Manager.

24.5 Documentation Errata

Documentation Errata: Currently, there are no documentation issues to note.