Contents

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

What's New in the Oracle Application Server Release Notes?

• Chapter 2, "Installation and Upgrade Issues"
• Chapter 5, "Oracle Access Manager"
• Chapter 6, "Oracle Application Server Single Sign-On"
• Chapter 7, "Oracle Identity Federation"
• Chapter 12, "Oracle Delegated Administration Services"

1 Introduction

• 1.1 Latest Release Information
• 1.2 Purpose of this Document
• 1.3 Operating System Requirements
• 1.4 Multiple Versions of Identity Management in this Release
• 1.5 Certification Information
• 1.6 Licensing Information

2 Installation and Upgrade Issues

• 2.1 Installation Issues
  • 2.1.1 Workaround if HTTP Server Configuration Assistant Fails
  • 2.1.2 IPv6 Not Supported
  • 2.1.3 Unique Global Database Name Required During Installation
  • 2.1.4 Do Not Use Turkish Locale During Installation
  • 2.1.5 Oracle Application Server Repository Creation Assistant Fails During Loading When the Database Uses Certain Chinese Character Sets
  • 2.1.6 OracleAS Cold Failover Cluster: Additional Configuration Steps for Oracle Delegated Administration Services
  • 2.1.7 Oracle Internet Directory SSL Connection Fail Intermittently
  • 2.1.8 Incorrect Location for Debug Message
  • 2.1.9 Illegible or Garbage Characters Output in a Russian Locale
  • 2.1.10 Application Server Control Console Link Not Operational in non-English Installations
  • 2.1.11 Set the NLS Parameter Before Installing
  • 2.1.12 Excessive Privileges for OracleAS Metadata Repository Installations
  • 2.1.13 Incorrect Guidelines for Online Help
  • 2.1.14 OIDCA Fails Due to Misconfiguration in /etc/hosts
  • 2.1.15 DB Console of Infrastructure IM+MR Cannot be Started
  • 2.1.16 Error Messages in log files
• 2.2 Upgrade Issues
  • 2.2.1 Clarification of When to Run the Metadata Repository Upgrade Assistant
  • 2.2.2 Upgrade of Identity Management Installation to 10.1.4.0.1
  • 2.2.3 Additional Step Required When Upgrading OracleAS Metadata Repository Release 9.0.4.3 to 10.1.4.0.1
  • 2.2.4 Configuring Port Values for the Load Balancer and Oracle Internet Directory When Upgrading Oracle Application Server Cluster (Identity Management)
  • 2.2.5 Harmless Error Messages During OracleAS Metadata Repository Upgrade
  • 2.2.6 Metadata Repository Container Version
  • 2.2.7 Issues When Using the ldifwrite Command to Back Up the Oracle Internet Directory
  • 2.2.8 Upgrade of OracleAS Cold Failover Clusters Fails While Running Configuration Assistant
• 2.3 Documentation Errata
  • 2.3.1 Possible Error Message When Decommissioning a 10.1.4.0.1 Oracle Home After Upgrade
  • 2.3.2 Incorrect Line Breaks in MRUA Sample Output
  • 2.3.3 Incorrect Global Database Naming Standard

3 General Management and Security Issues

• 3.1 General Management Issues
  • 3.1.1 Modifying targets.xml After Enabling SSL for Oracle Identity Management 10g (10.1.4.0.1)
  • 3.1.2 Changing the IP Address of a Metadata Repository Created with Oracle Application Server Repository Creation Assistant
  • 3.1.3 Oracle Enterprise Manager Grid Control Does not Display all Integration Profiles
  • 3.1.4 Additional Information for Changing Hostname for Identity Management Installations
• 3.2 Documentation Errata
  • 3.2.1 References to OracleAS Web Cache and OracleAS Portal in the Application Server Control Console Online Help

4 High Availability

• 4.1 General Issues and Workarounds
  • 4.1.1 Upgrade to OracleAS Guard Release 10.1.2.2.1
  • 4.1.2 Problem Performing a Clone Instance or Clone Topology Operation
  • 4.1.3 OracleAS Guard Release 10.1.2.1.1 Cannot Be Used with Oracle RAC Databases
  • 4.1.4 OracleAS Guard Returned an Inappropriate Message When It Could Not Find the User Specified Database Identifier
• 4.2 Configuration Issues and Workarounds
  • 4.2.1 The asgctl shutdown topology Command Does Not Shut Down an MRCA Database That is Detected To Be of a repCa Type Database
  • 4.2.2 Database SIDs Must be the Same for Database Peers at Primary and Standby Sites
  • 4.2.3 Use All Uppercase Characters for Database Initialization Parameters to Avoid Instantiate and Sync Problems
  • 4.2.4 Use the Same Port for ASG on the Production and Standby Sites to Avoid clone instance Operation Problems
  • 4.2.5 Use Fully Qualified Path Names with the add instance Command
  • 4.2.6 ASG Cloning is Not Supported when the Number of Oracle Homes is Different at the Primary and Standby Hosts
  • 4.2.7 Entries in TNSNAMES.ORA File that Lack Domain Names Cause Disaster Recovery Problems
• 4.3 Documentation Errata and Omissions
  • 4.3.1 Availability of a Previously Undocumented asgctl Command: create standby database
  • 4.3.2 Connecting to an OracleAS Guard Server May Return an Authentication Error
  • 4.3.3 All emagents Must Be Shut Down Before Performing OracleAS Guard Operations
  • 4.3.4 Procedure to Patch a 10.1.2.0.0 Disaster Recovery Setup with a 10.1.2.1.0 Patchset
  • 4.3.5 Running Instantiate Topology Across Nodes After Executing a Failover Operation Results in an ORA-01665 Error
  • 4.3.6 OracleAS Guard Is Unable to Shutdown the Database Because More Than One Instance of Oracle RAC is Running

5 Oracle Access Manager

• 5.1 Oracle Access Manager 10g (10.1.4.0.1) Patch Sets and Bundle Patches
  • 5.1.1 Obtaining the Latest Bundle Patch
  • 5.1.2 Obtaining the Latest Patch Set
• 5.2 General Issues
  • 5.2.1 New Location for the Platform Support Matrix
  • 5.2.2 Known Issue With JDK 1.1.7
  • 5.2.3 The Name "Query Builder" Is Not Always Translated
  • 5.2.4 Users Can Access Resources After Password Reset Without Logging In
  • 5.2.5 Time Management and Daylight Savings Time
  • 5.2.6 Caveat to Create a Password Policy with Change on Reset Enabled
• 5.3 Installation and Upgrade Issues and Workarounds
  • 5.3.1 Change the Transport Security Mode During Installation
  • 5.3.2 iPlanet Server Fails After Tuning
  • 5.3.3 Oracle Internet Directory Servers Require Tuning After Installation
  • 5.3.4 Support for DirX Has Been Deprecated
  • 5.3.5 "Enter Password" String Does Not Display Correctly During Installation
  • 5.3.6 Uninstalling a Language Pack With a "2" Designation Causes an Error
  • 5.3.7 Simple Mode Password File Not Converted During Upgrade
  • 5.3.8 Unnecessary Message Asks for SDK Migration Bundles During Upgrade
  • 5.3.9 Unable to Locate Bundles Needed for COREid 6.x Upgrades
  • 5.3.10 Problem with Automatic Directory Updates During Identity Server or Policy Manager Installation
  • 5.3.11 Challenge Parameter Rows Discarded During the Access Manager Upgrade
  • 5.3.12 No Translation Support for the SNMP Agent Installshield
  • 5.3.13 Installation of Identity Server 10.1.4.0.1 With Sun Java Directory Server 6.0
• 5.4 Removal and Rollback Issues and Workarounds
  • 5.4.1 Removing Language Packs
  • 5.4.2 Removing the Default Administrator Language
  • 5.4.3 Removing Components and Reinstalling
  • 5.4.4 Rollback Issues After Upgrading to Oracle Access Manager 10g (10.1.4.0.1)
    • 5.4.4.1 Halting On-the-fly User Data Migration Phase 1
    • 5.4.4.2 Halting On-the-fly Migration of User Data: Phase 2
    • 5.4.4.3 Restarting On-the-fly User Data Migration
• 5.5 Access System Issues and Workarounds
  • 5.5.1 Disabling the User Cache for the Access Server
  • 5.5.2 WebGate Diagnostics URL Incorrectly Report the Access Server Is Down
  • 5.5.3 WebGate Is Unable to Connect to Its Associated Access Server
  • 5.5.4 An Authentication Action for Form-Based Authentication Redirects to a Non-Secure Page
  • 5.5.5 Access Server Memory Usage Rises After Configuring a Directory Server Profile
  • 5.5.6 The Passthrough Challenge Parameter Does Not Work on a Domino Web Server
  • 5.5.7 Steps for Integrating the Access System with OracleAS Single Sign-On 10.1.2.0.2
  • 5.5.8 Return Type Parameters Are Case-Sensitive in This Release
  • 5.5.9 Single Sign-On with Oracle Identity Management Fails
  • 5.5.10 Policy Manager API Support Used Incorrectly in Help and Access System Console
• 5.6 Identity System Workarounds and Issues
  • 5.6.1 Identity System Deletes a User Entry When an RDN is Modified
  • 5.6.2 Identity System Deletes a User Entry When an RDN is Modified
  • 5.6.3 Auditing for the Identity System Ceases to Work
  • 5.6.4 Identity Server Crashes if It Cannot Find a Style Sheet
  • 5.6.5 WebPass Is Unable to Connect to Its Associated Identity Server
  • 5.6.6 Memory Usage Rises for an Identity Server After Configuring a Directory Server Profile
  • 5.6.7 Errors Are Found in the HTTP Logs After Setting Up the Identity System
  • 5.6.8 Reports With Non-ASCII Characters Are Not Imported Correctly in Excel
  • 5.6.9 Translation of Tab Names May be Incomplete
  • 5.6.10 Non-ASCII Values for Certain Display Types Are Corrupted in the Identity System Console
  • 5.6.11 Data Is Lost When Saving an Object Profile in Org. Manager
  • 5.6.12 Incorrect Path Provided to the UDDI Files
  • 5.6.13 Incorrect Path Setting for Running Sample WSDL Code
  • 5.6.14 User Creation Might Fail When You Have Multi-byte Characters in the Password
  • 5.6.15 Modifying Challenge and Response Phrases for Lost Password Management from a Panel
• 5.7 Third-Party Integration Issues
  • 5.7.1 Users Receive Errors When Accessing Weblogic Resources
  • 5.7.2 The Deploy Link on the WebLogic Console Does Not Respond to Users Without a Role
  • 5.7.3 No Error Is Displayed When You Create a WebLogic Group that Already Exists
  • 5.7.4 Double-Byte Language Packs Do Not Work with the WebLogic SSPI Connector
  • 5.7.5 Integrating with Oracle Application Server Single Sign-On
  • 5.7.6 File Needed for Registrytester Not Bundled with IBM WebSphere Application Server 6.1
• 5.8 Directory Issues
  • 5.8.1 Error "There Is No Profile Configured for this Kind of Object"
  • 5.8.2 Issues With the Display of Messages in Some Languages
  • 5.8.3 Support for eDirectory 8.7.3
• 5.9 Documentation Issues
  • 5.9.1 Reference to Oracle Internet Directory Is Needed in Installation Preparation Checklist
  • 5.9.2 Help Mentions WebGateStatic.lst But No Such File Exists
  • 5.9.3 The obEnableCredentialCache Credential Mapping Parameter Is Misspelled
  • 5.9.4 Warning Regarding Retrieving Authorization Data From an External Source
  • 5.9.5 Active Directory MaxPageSize Parameter Stated as PageSize Parameter
  • 5.9.6 Missing Parameter in globalparams.xml Documentation
  • 5.9.7 Incorrect obver Attribute Value Stated in Documentation
  • 5.9.8 Changes in System Behavior for obVer Missing in Manuals
  • 5.9.9 Items Needed for WebLogic 9.2 Application Server Certification
  • 5.9.10 Corrected Default Path Names in Oracle Access Manager Installation Guide
  • 5.9.11 OIS and Access Server Service Start is Automatic by Default
  • 5.9.12 Certificate Utility Flags Incorrect for Oracle Virtual Directory SSL Listener
  • 5.9.13 Tuning Oracle Internet Directory for Oracle Access Manager
  • 5.9.14 Obtaining/Updating Sample Adapter and Mapping Templates for Oracle Virtual Directory
  • 5.9.15 Typographical Error in the Solution for "The Login Form Appears Repeatedly"
  • 5.9.16 Added Required Database User Privileges to Upload Schema in Oracle Access Manager Configuration Manager
  • 5.9.17 Added Audit File Renaming Steps to Oracle Access Manager Upgrade Guide
  • 5.9.18 Corrected Path Details for Oracle Virtual Directory Schema Files
  • 5.9.19 Corrected LDAPModify Syntax for Oracle Virtual Directory
  • 5.9.20 Added SSL Requirements When Upgrading Schema and Data with Master Access Manager
  • 5.9.21 Corrected Path Names for Schema Index Files in Oracle Access Manager Upgrade Guide
  • 5.9.22 Corrected Environment URL in Oracle Access Manager Configuration Manager Installation and Administration Guide
  • 5.9.23 Missing Challenge Parameter "realmunique:yes"
  • 5.9.24 Installation Guide Offers Misleading Instructions for COREid Web Component on SELinux
  • 5.9.25 Misleading Title for Enabling Client Cert on IIS in Oracle Access Manager Installation Guide
  • 5.9.26 oblixCoreidServerDown has the Same Description as oblixCoreidServerFailure
  • 5.9.27 Syntax Correction in Oracle Access Manager Customization Guide
  • 5.9.28 Clarification of unique_value_attrs in ldapreferentialintegrityparams.xml
  • 5.9.29 Clarification on Reconfiguring COREid Server and WebPass
  • 5.9.30 Updating Novell eDirectory Schema Details
  • 5.9.31 Clarification in WebLogic Chapter of Oracle Access Manager Integration Guide
  • 5.9.32 Policy Manager API Support Should Read Access Management Service
  • 5.9.33 Invalid URL Patterns in Policy

6 Oracle Application Server Single Sign-On

• 6.1 Installation, Installation and Upgrade Issues
  • 6.1.1 Directory Considerations During Installation
  • 6.1.2 Directory Considerations After Installation
  • 6.1.3 Identity Management Grid Control Considerations During Uninstallation
• 6.2 General Issues
  • 6.2.1 Oracle Directory Manager Is no Longer Supported
  • 6.2.2 Deleting and Recreating a User Causes an Error When Accessing an External Application
  • 6.2.3 You Must Change the Value for the ORCLDASURLBASE Attribute in Oracle Internet Directory After Enabling SSL
  • 6.2.4 Clarification Needed for Implementing the IPASAuthInterface.java Package
  • 6.2.5 Multiple Single Sign-On Servers Cannot Share a Global User Inactivity Timeout
  • 6.2.6 A "Host Unavailable" Entry Appears on Non-English Monitoring Pages
  • 6.2.7 Dynamic Global Logout Directives Must Pass the String "Oracle SSO"
  • 6.2.8 Multilevel Authentication Configuration May or May Not Require a Port Number
• 6.3 Documentation Errata
  • 6.3.1 Incomplete Information in "Developing Applications for Single Sign-On" Chapter of Oracle Identity Management Application Developer's Guide

7 Oracle Identity Federation

• 7.1 Installation and Upgrade Issues
  • 7.1.1 Oracle Identity Federation Configuration Assistant Fails in SSL Mode
• 7.2 General Issues and Workarounds
  • 7.2.1 Credential Re-entry When Accessing a SiteMinder Protected Resource
  • 7.2.2 Reauthentication after Session Timeout with OracleAS Single Sign-On and SAML 1.x or WS-Federation
  • 7.2.3 Attribute Sharing with the Microsoft Internet Information Server
  • 7.2.4 Redirection Loops with Oracle Access Manager
  • 7.2.5 Truncated Text in Japanese Version of Oracle Universal Installer
  • 7.2.6 Unused Assertion Profile With Invalid Attribute Mapping Can Cause SSO Failure
  • 7.2.7 Signed SAML 1.0 Assertions Can Cause SSO Failures
  • 7.2.8 Encrypting Network Connections
  • 7.2.9 Spurious Certificate Verification Failure in Debug Log
  • 7.2.10 Forced Reauthentication Not Supported with OracleAS Single Sign-On
• 7.3 Configuration Issues and Workarounds
  • 7.3.1 Administration Console Is Not Accessible After Changing Transient Data Store
  • 7.3.2 Signing SAML Response with Assertion
  • 7.3.3 Assertions Using SAML 1.x POST Method Fail in Japanese Locale
  • 7.3.4 Using RDBMS as a User Data Store with a Login column ID of type CHAR
  • 7.3.5 Some Peer Providers Are Not Displayed in Administration Console
  • 7.3.6 SAML 2.0 Metadata AttributeRequesterDescriptor Not Supported
  • 7.3.7 Problems Disabling Protocol Profiles in Administration Console
  • 7.3.8 Metadata Service URLs With Query Parameters Not Supported
• 7.4 Documentation Errata
  • 7.4.1 Incorrect Header in Oracle Identity Federation Online Help
  • 7.4.2 Usage of Command-line Configuration Assistants
  • 7.4.3 Enhanced Description of Provider Configuration

8 Oracle Security Developer Tools

• 8.1 General Issues and Workarounds
  • 8.1.1 Oracle XML Security Does Not Handle the InclusiveNamespaces Tag

9 Oracle Internet Directory

• 9.1 General Issues and Workarounds
  • 9.1.1 Perform Full Database Backup After Administrative Changes to Oracle Internet Directory
  • 9.1.2 Comment Out ACL Attributes Not Defined in the Schema
  • 9.1.3 Specify DN of the DIT When Dumping Directory Entries for an Advanced Replication Agreement
• 9.2 Configuration Issues and Workarounds
  • 9.2.1 Set Language Before Using bulkload
• 9.3 Documentation Errata
  • 9.3.1 Bad Links in Online Help Pages
  • 9.3.2 Missing Line Break in sqlplus Command
  • 9.3.3 Errors in oracle.ldap.util.Subscriber.createUser() Documentation
  • 9.3.4 Missing Example: How to Decode a Mime-Encoded Header Set by mod_sso
  • 9.3.5 Error in Identity Management Grid Control Plug-in Context-Sensitive Help
  • 9.3.6 Missing Note: The labeledURI Attribute host:port is for Syntax Purposes Only
  • 9.3.7 Missing Example: Listing All the Attributes in the Directory by Using ldapsearch
  • 9.3.8 Incorrect Environment Variables in Plug-in Debugging Examples
  • 9.3.9 Figure Errors in Replication Concepts Chapter
  • 9.3.10 Bad ldifwrite Parameter in Backup Chapter
  • 9.3.11 Error in Sample Code for Java Plug-ins
  • 9.3.12 Obsolete Step in SSL Configuration Procedure
  • 9.3.13 Errors in Oracle Directory Manager Help and in Appendix A of the Oracle Internet Directory Administrator's Guide
  • 9.3.14 No Maximum Value Documented for pwdGraceLoginLimit
  • 9.3.15 Setting orcldataprivacymode to 1 Prevents OC4J_SECURITY from Starting

10 Oracle Virtual Directory

• 10.1 General Issues and Workarounds
• 10.2 Bug Fixes

11 Oracle Application Server Certificate Authority

• 11.1 Documentation Errata
  • 11.1.1 Java Classes for Custom Policy Plug-in Must Use JDK 1.4.2
  • 11.1.2 Incorrect Class Name in Custom Policy Example

12 Oracle Delegated Administration Services

• 12.1 General Issues and Workarounds
  • 12.1.1 Installation Process Does Not Enable SSL for Oracle Delegated Administration Services
  • 12.1.2 Using Single Wildcard Characters to Search for Entries Fails to Return Results
  • 12.1.3 Oracle Internet Directory Self-Service Console Link Does Not Work in Oracle Identity Manager Grid Control Plug-in
• 12.2 Administration Issues and Workarounds
  • 12.2.1 Disabling Password Change and Reset Functionality
  • 12.2.2 Resetting Oracle Application Server Single Sign-On Passwords Redirects Users to Oracle Delegated Administration Services Home Page
• 12.3 Online Help Issues and Workarounds
  • 12.3.1 No Help Topic When Managing Applications
  • 12.3.2 The ou Attribute is Not Allowed In User Entries
• 12.4 Documentation Issues
  • 12.4.1 Session Context is Not Clearly Documented
  • 12.4.2 Special Characters for User ID Needs Updating
  • 12.4.3 Clarification: Old_password Not Being Passed to Custom Pre_modify Password Policy Plugin

13 Oracle Directory Integration Platform

• 13.1 Configuration Issues and Workarounds
  • 13.1.1 Configuration Requirements for Synchronizations with Domain-Level Mappings
  • 13.1.2 Directory Integration Assistant Throws "LDAP: error code 2 - Decoding Error" When Uploading an Additional Configuration Information File
  • 13.1.3 Reconfiguring the Oracle Password Filter for Microsoft Active Directory Generates Errors
  • 13.1.4 In a High Availability Environment Using Multimaster Replication, Provisioning Events May not Be Propagated or May Be Duplicated
  • 13.1.5 Manual Step Required After Configuring Oracle Directory Integration Platform from Oracle Enterprise Manager
  • 13.1.6 Securing the Windows Registry Before Installing the Oracle Password Filter for Microsoft Active Directory
  • 13.1.7 DIP_GEN_CREATECHG_EXCEPTION Raised When Source Directory Contains More than 10 Attributes to be Synchronized
  • 13.1.8 Deletions Not Synchronized if a Domain Editing Rule Exists
  • 13.1.9 Synchronizing modrdn from Sun Java System Directory Throws a Stack Trace
  • 13.1.10 The SearchDeltaSize Parameter is Ignored During Synchronization
  • 13.1.11 Add Operations Not Synchronized and Synchronization Fails with an "objcls is NULL" Message in the Trace File
• 13.2 Administration Issues and Workarounds
  • 13.2.1 Default Mapping Rule Can Be Simplified in Single-Domain Microsoft Active Directory Deployments
  • 13.2.2 Oracle Directory Integration Platform Not Sending Provisioning Events Due to Purged Change Log Entries
  • 13.2.3 Oracle Internet Directory Field Unavailable in Oracle Identity Manager Grid Control Plug-in
  • 13.2.4 Synchronizion from Novell eDirectory or OpenLDAP Fails When the Oracle Internet Directory Container is Within the Default Realm