You are on page 1of 44

Oracle Access Manager

Bundle Patch Notes (Bundle Patch 04) For 10g (10.1.4.3.0) For Linux, Microsoft Windows, and Solaris Operating Systems
August 2010

This document describes the bug fixes that are included with Bundle Patch 10.1.4.3.0-BP04. This bundle patch requires a base installation of Oracle Access Manager 10g (10.1.4.3.0).
Note: The product formerly known as "Oblix NetPoint" or "Oblix COREid" is now "Oracle Access Manager." All legacy references to "Oblix" and "NetPoint" in either the product documentation or the software interface should henceforth be understood to connote "Oracle Access Manager."

This document supersedes the documentation that accompanies Oracle Access Manager 10g (10.1.4.3.0), and earlier documents if any. This document contains the following sections:

Section 1, "Documentation Accessibility" Section 2, "Bundle Patch Overview" Section 3, "Documentation" Section 4, "Bundle Patch Requirements" Section 5, "Before You Install This Bundle Patch" Section 6, "Bundle Patch Installation and Removal" Section 7, "Known Issues" Section 8, "Fixes Included in This Cumulative Bundle Patch" Section 9, "Documentation Issues" Section 10, "Components Included with this Bundle Patch"

The names of the operating systems have been shortened for this document, as follows:
Operating System Oracle Enterprise Linux Red Hat Linux Solaris Operating System (SPARC) Microsoft Windows Solaris Windows Abbreviated Name Linux

1 Documentation Accessibility
Our goal is to make Oracle products, services, and supporting documentation accessible to all users, including users that are disabled. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at http://www.oracle.com/accessibility/. Accessibility of Code Examples in Documentation Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace. Accessibility of Links to External Web Sites in Documentation This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites. Deaf/Hard of Hearing Access to Oracle Support Services To reach Oracle Support Services, use a telecommunications relay service (TRS) to call Oracle Support at 1.800.223.1711. An Oracle Support Services engineer will handle technical issues and provide customer support according to the Oracle service request process. Information about TRS is available at http://www.fcc.gov/cgb/consumerfacts/trs.html, and a list of phone numbers is available at http://www.fcc.gov/cgb/dro/trsphonebk.html.

2 Bundle Patch Overview


A 10g (10.1.4.3.0) bundle patch must be applied to 10g (10.1.4.3.0) components. The first Oracle Access Manager 10g (10.1.4.3.0) bundle patch was available December, 2009. Following topics provide an overview of bundle patches:

Section 2.1, "Bundle Patch Introduction" Section 2.2, "Bundle Patch Baseline Packages" Section 2.3, "Package Names"

2.1 Bundle Patch Introduction


A bundle patch is an official Oracle patch for Oracle Access Manager components on baseline platforms. For more information, see Section 2.2, "Bundle Patch Baseline Packages". Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes. All of the fixes in the bundle patch have been tested and are certified to work with one another. Regression testing has also

been performed to ensure backward compatibility with all Oracle Access Manager components in the bundle patch, and with earlier WebGates. Each bundle patch is cumulative: the latest bundle patch includes all fixes in earlier bundle patches for the same release and platform. Fixes delivered in bundle patches are rolled into the next release. For instance, 10g (10.1.4.2.0) bundle patch fixes are included in Oracle Access Manager 10g (10.1.4.3). Bundle patches are released on a regular basis and are available on My Oracle Support (formerly Oracle MetaLink). A knowledge base note, maintained by the Support team, is also available to provide a list of bundle patches and included packages. Look for Note: 736372.1 on My Oracle Support at:
http://support.oracle.com

Note:

To remain in an Oracle-supported state, Oracle recommends that you apply the bundle patch to all installed components for which packages are provided.

Table 1 provides a brief overview of the differences between a bundle patch, a standard patch set, and a patch set exception.
Table 1 Bundle Patches, Patch Sets, and Patch Set Exceptions Description A bundle patch is an official Oracle patch for Oracle Access Manager components on baseline platforms. Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes. All of the fixes in the bundle patch have been tested and are certified to work with one another. Regression testing has also been performed to ensure backward compatibility with earlier WebGates. A 10g (10.1.4.3.0) bundle patch must be applied to 10g (10.1.4.3.0) components. For details of the new bundle patch process, see Note: 466993.1 on My Oracle Support at: http://support.oracle.com Patch Set A patch set is a mechanism for delivering fully tested and integrated product fixes that can be applied to installed components of the same release. Patch sets include all of the fixes available in previous bundle patches (or patch set exceptions) for the release. A patch set can also include new functionality. Each patch set provides the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). However, a patch set might not be a complete software distribution and might not include packages for every component on every platform. All of the fixes in the patch set have been tested and are certified to work with one another on the specified platforms. The latest patch set for Oracle Access Manager is 10g (10.1.4.3.0).

Mechanism Bundle Patch

Table 1 (Cont.) Bundle Patches, Patch Sets, and Patch Set Exceptions Mechanism Patch Set Exception (PSE) Description Each PSE was an official Oracle patch; however, a PSE was not a complete product distribution and did not include packages for every component on every platform. Each PSE (also known as a one off or hot fix) addressed only one issue for a single component; typically (but not always) only for a single platform. A PSE included only the libraries and files that had been rebuilt to implement a specific fix for a specific component. Each PSE was cumulative, but did not undergo extensive regression testing and certification by QA. Individual PSE releases were not tested to work together with other PSE releases. Note: The bundle patch mechanism has replaced the patch set exception mechanism.

2.2 Bundle Patch Baseline Packages


Each bundle patch provides a set of baseline packages, as indicated next:

Solaris: Access Server Identity Server WebPass, Policy Manager, WebGate for Sun Java System HTTP Server WebGate for Apache 2.0.x HTTP Server WebGate for Apache 2.2.x HTTP Server 64-bit WebGate for Oracle HTTP Server 11g

Linux: Access Server Identity Server WebPass, Policy Manager, WebGate for Apache 2.2.x HTTP Server WebPass, Policy Manager, WebGate for Oracle HTTP Server 11g (32-bit) 64-bit WebGate for Oracle HTTP Server 11g

Windows: Access Server Identity Server WebPass, Policy Manager for IIS WebPass, Policy Manager, WebGate for Oracle HTTP Server 11g (32-bit) WebGate for IIS 64-bit WebGate for Oracle HTTP Server 11g

A single bundle patch might not include every component and platform combination. However, it is possible that additional platforms and components might be added. For instance, a bundle patch might include (as for Oracle HTTP Server 10g, for example) if issues for these components are resolved during a given bundle patch cycle.

For the latest support information, see:


http://www.oracle.com/technology/products/id_mgmt/coreid_ acc/pdf/oam_3rd%20party_oracle_integrations_package_list.xls

See Also: Section 10, "Components Included with this Bundle Patch"

2.3 Package Names


This topic illustrates bundle patch naming conventions for 10g (10.1.4.3). Oracle Access Manager bundle patch releases are distributed in individual platform-specific bundles (ZIP files). Oracle Access Manager bundle patch Zip file names are based on the following:

Release Number refers to the base release (10.1.4.3.0, for example) BPnn refers to the bundle patch release (BP01, for example) platform refers to standard platform designations: sparc-s2 (Solaris), for example component refers to a specific Oracle Access Manager component, such as Identity Server or Access Server or a specific Web component type. Webserver refers to a specific Web server identifier for Web components

Table 2 provides sample package names for the Oracle Access Manager 10g (10.1.4.3) bundle patches.
Table 2 Bundle Patch Bundle Patch Package Name Examples Example

Convention Oracle_Access_Manager_ReleaseNumber_BPnn_platform_component.zip Component Oracle_Access_Manager_10_1_4_3_0_BP02_linux_Identity_Server.zip Web Convention Component Oracle_Access_Manager_10_1_4_3_0_BPnn_Platform_Webserver_ component.zip Example Oracle_Access_Manager_10_1_4_3_0_BP02_linux_APACHE2_WebGate.zip AccessGate Convention Oracle_Access_Manager_10_1_4_3_0_BPnn_Platform_Appsrver_ Connector.zip Example Oracle_Access_Manager_10_1_4_3_0_BP02_linux_Weblogic_Connector.zip

3 Documentation
This section describes the documentation that is available to support the latest bundle patch, the original 10g (10.1.4.3.0) patch set, and new full-installer packages. This section provides the following topics:

Section 3.1, "Oracle Access Manager 10g (10.1.4.3.0) Manuals and Release Notes"

Section 3.2, "Patch Set Notes and Bundle Patch Notes" Section 3.3, "Certification Documentation, Full-Installers, and Readme"

3.1 Oracle Access Manager 10g (10.1.4.3.0) Manuals and Release Notes
Release Notes and manuals are available on Oracle Technology Network (OTN) regardless of the Oracle Access Manager release you have: 10g (10.1.4.0.1), 10g (10.1.4.2.0), or 10g (10.1.4.3). If you already have a user name and password for OTN, you can go directly to the documentation section of the OTN Web site at: http://www.oracle.com/technology/documentation/oim1014.html Oracle Access Manager 10g (10.1.4.3.0) manuals include:

Oracle Access Manager Installation Guide Oracle Access Manager Upgrade Guide Oracle Access Manager Identity and Common Administration Guide Oracle Access Manager Access Administration Guide Oracle Access Manager Deployment Guide Oracle Access Manager Customization Guide Oracle Access Manager Developer Guide Oracle Access Manager Integration Guide Oracle Access Manager Schema Description Oracle Access Manager 10g (10.1.4.3) Release Notes

3.2 Patch Set Notes and Bundle Patch Notes


Patch set notes and bundle patch notes are available for download with software patches and bundle patches from My Oracle Support (formerly MetaLink) at:
http://support.oracle.com

This document, Oracle Access Manager Bundle Patch Notes 01 for Release 10g (10.1.4.3.0) for Linux, Microsoft Windows, and Solaris Operating Systems, provides the following information for this specific bundle patch release:

General information about bundle patches General bundle patch requirements and installation details Details about what is included in this bundle patch This Oracle Access Manager Bundle Patch Notes 01 for Release 10g (10.1.4.3.0) for Linux, Microsoft Windows, and Solaris Operating Systems readme file is available in PDF format within the bundle patch distribution zip file. The file is named for the product and release (oam_101430_BP01_doc.pdf). An HTML version of this file, readme.htm, is available outside the zip file.

3.3 Certification Documentation, Full-Installers, and Readme


For the latest Oracle Access Manager certification information, see Oracle Technology Network at:

http://www.oracle.com/technology/products/id_mgmt/coreid_ acc/pdf/oracle_access_manager_certification_10.1.4_r3_matrix.xls

Certification release notes, and certification-related documentation updates, are available from the Oracle Fusion Middleware 11gR1 Software Downloads page of Oracle Technology Network:
http://www.oracle.com/technology/software/products/middleware/htdo cs/fmw_11_download.html

WebGate releases and notes are still located under the Oracle Access Manager 3rd Party Integration Section of the following page:
http://www.oracle.com/technology/software/products/ias/htdocs/1014 01.html

The 3rd Party release notes provide:


Contents of Each Download Link Prerequisites Overview of changes to Oracle Access Manager manuals Known Issues

4 Bundle Patch Requirements


This bundle patch must be applied to Oracle Access Manager 10g (10.1.4.3.0) components, as discussed in the following topics:

Section 4.1, "Base Release for 10g (10.1.4.3) Bundle Patches" Section 4.2, "Core 10g (10.1.4.3) Components" Section 4.3, "Agents (WebGates and AccessGates)" Section 4.4, "Preinstallation Requirements"

4.1 Base Release for 10g (10.1.4.3) Bundle Patches


Oracle Access Manager 10g (10.1.4.3) is the required base for any Oracle Access Manager 10g (10.1.4.3) bundle patch.
Note:

The exact release number is on the View System Info page of the Oracle Access Manager Identity or Access System Console: click About and then click View System Info).

Table 3 provides details of how to obtain an Oracle Access Manager 10g (10.1.4.3) installation.

Table 3

Oracle Access Manager 10g (10.1.4.3) Deployment Types Description Oracle Access Manager 10g (10.1.4.3) is the recommended single sign-on solution for Oracle Fusion Middleware 11g. Oracle Access Manager 10g (10.1.4.3) full installers are available with Oracle Fusion Middleware 11g on the Oracle Technology Network: http://www.oracle.com/technology/software/produ cts/middleware/htdocs/fmw_11_download.html Additional WebGates (other than OHS 11g) for Oracle Access Manager 10g (10.1.4.3), can be found on the Oracle Identity Management 10g downloads page at: http://www.oracle.com/technology/software/produ cts/ias/htdocs/101401.html

Deployment Type Fresh Installation Requires full installers

Patched Deployment Requires 10g (10.1.4.3) Patch Set Packages

You can apply the 10g (10.1.4.3) patch set to Oracle Access Manager 10g (10.1.4.2.0) components only. Note: You cannot use 10g (10.1.4.3) full installers to upgrade an earlier Oracle Access Manager installation. Patch packages are available on My Oracle Support (formerly Oracle MetaLink). Look for patch number 8276055: http://support.oracle.com

See Also: Section 4.2, "Core 10g (10.1.4.3) Components"

4.2 Core 10g (10.1.4.3) Components


Bundle patches can be applied only to installed components on supported Operating Systems. Each bundle patch includes core components for baseline platforms if fixes are available for the component and platform combination. A bundle patch can also include components beyond the baseline. Oracle recommends that you apply each bundle patch to all installed components included in the bundle patch. Oracle also recommends that 10g (10.1.4.3) Identity and Access Server components be at the same (or higher) bundle patch level as a 10g (10.1.4.3) WebGate. For more information, see Section 4.3, "Agents (WebGates and AccessGates)". Guidelines for core components in your deployment are described in Table 4.
Table 4 Core Components in Your Deployment You can ... Apply the same bundle patch release to the Identity Server and WebPass only. Apply the same bundle patch release to the Identity Server, WebPass, Policy Manager, and Access Server.

If you have ... Identity System Only Joint Identity and Access System

See Also: Section 4.3, "Agents (WebGates and AccessGates)"

4.3 Agents (WebGates and AccessGates)


Oracle recommends that 10g (10.1.4.3) Identity and Access Server components be at the same (or higher) bundle patch level as a 10g (10.1.4.3) WebGate.
Note:

The term "WebGate" also refers to custom AccessGates.

If a WebGate bundle patch is provided and you have a 10g (10.1.4.3.0) WebGate, Oracle recommends that you apply the WebGate bundle patch. You cannot apply a 10g (10.1.4.3.0) bundle patch to earlier 10g WebGates (for instance, 10g (10.1.4.2.0) or 10g (10.1.4.0.1) WebGates). However, you can deploy a fresh 10g (10.1.4.3.0) WebGate using a full installer package, and then apply the bundle patch. See Table 5 for more information.
Table 5 Bundle Patches and WebGates Perform Following Steps ... Apply a 10g (10.1.4.3) WebGate bundle patch:
1. 2. 3. 4.

If you have ... 10g (10.1.4.3.0) WebGates

Confirm that a 10g (10.1.4.3) WebGate is installed using a full installer. See Section 10, "Components Included with this Bundle Patch" to determine that you need to patch a WebGate. Confirm that the installed WebGate bundle patch level, if any, is lower than the bundle patch you intend to apply. Apply the bundle patch as described in Section 6, "Bundle Patch Installation and Removal".

Earlier WebGates (release 7.x, 10.1.4.0.1, 10.1.4.2.0)

Deploy a 10g (10.1.4.3) WebGate with a full installer package


1. 2. 3.

Remove the earlier WebGate (or AccessGate) using instructions in the Oracle Access Manager Installation Guide. Install the 10g (10.1.4.3) WebGate using all specifications of the earlier WebGate. Apply the 10g (10.1.4.3) bundle patch as described in Section 6, "Bundle Patch Installation and Removal".

4.4 Preinstallation Requirements


The following list outlines the preinstallation requirements for this bundle patch:

Before you start, review Section 5, "Before You Install This Bundle Patch". Ensure that all host systems meet the recommended system requirements described in the Oracle Access Manager Installation Guide. Locate the latest supported system configurations for Oracle Access Manager with Oracle Fusion Middleware (Oracle Identity and Access Management), if needed:
1.

Go to Oracle Technology Network:


http://www.oracle.com/technology/products/id_mgmt/coreid_ acc/pdf/oracle_access_manager_certification_10.1.4_r3_ matrix.xls

2.

In the appropriate tab in the Oracle Access Manager 10gR3 spreadsheet.

5 Before You Install This Bundle Patch


Before installing this bundle patch, Oracle recommends that you review this section and follow these instructions carefully:

Confirm that you have the exact issue that is described. Ensure that your system configuration exactly matches the system configuration identified in the corresponding Oracle Bug database entry, including the: Oracle Access Manager release or patch set level (10g (10.1.4.3.0) is required) Operating System release and type Web server release and type

Confirm that the installed bundle patch level, if any, is lower than the one you intend to install. There is no need to remove an earlier 10g (10.1.4.3) bundle patch before you install a later 10g (10.1.4.3) bundle patch. For example, you can install BP05 on top of BP04 (or earlier). However, you cannot install BP05 if BP06 (or later) is installed.
Note: If your system configuration does not meet these requirements, or if you are not certain that your system configuration meets these requirements, Oracle recommends that you log an Service Request to get assistance with this bundle patch. Oracle Support will make a determination about whether you should apply this bundle patch.

6 Bundle Patch Installation and Removal


This section contains the following topics to guide you as you prepare and install the bundle patch files (or as you remove a bundle patch should you need to revert to your original installation):

Section 6.1, "Preparing for Bundle Patch Installation on Any Platform" Section 6.2, "Installing a Bundle Patch on Any Platform" Section 6.3, "Failure During Bundle Patch Application" Section 6.4, "Uninstalling a Bundle Patch on Any System"
Note:

This document supersedes earlier 10g (10.1.4.3) documentation.

6.1 Preparing for Bundle Patch Installation on Any Platform


This section introduces platform-specific bundles for this bundle patch. It includes a procedure that explains how to store bundles and files in temporary directories so that they are organized and separate from the files within your original installation.

10

start_ois_server and start_aaa_server startup scripts The latest bundle patch might include start_ois_server and start_aaa_server startup scripts. In this case, the latest start_ois_server and start_aaa_server startup scripts will overwrite existing scripts. Any modifications that you have made to customize the script must be manually applied to the new scripts after installing the bundle patch. To avoid losing startup script customizations in the future, consider the alternative of using an independent start-up script that performs desired environment operations and subsequently calls the start_ois_ server or start_aaa_server startup scripts.
Caution: Installing the latest bundle patch might overwrite your customized start_ois_server and start_aaa_server startup scripts. Be sure to back up your customized startup scripts. After you install the bundle patch, you can copy your customizations into the new start_ ois_server and start_aaa_server startup scripts. For more information, see Section 6.2, "Installing a Bundle Patch on Any Platform".

The following procedure explains how to unzip and store the platform-specific bundle patch files before you begin installation. The steps explain what to do on all platforms. Oracle recommends that you store the contents of each component-specific file in a separate branch (subdirectory) within the corresponding platform-specific directory tree, as indicated next. To download and store bundle patch files 1. On the machine that will host the bundle patch files, create a temporary directory to contain the platform-specific bundles that you will download. For example: Linux: /home/10143BPnn/tmp Solaris: /opt/10143BPnn/tmp Windows: C:\10143BPnn\tmp
2.

Go to My Oracle Support and log in:


http://support.oracle.com

3. 4.

Click the Patches & Updates link. Click Product or Family (Advanced Search) and fill in the search criteria. For example:
a. b. c. d. e. f.

From the Product is list, click Oracle Oblix COREid. From the Release is list, click Oracle Access Manager 10.1.4.3. From the following list, select Platform. From the list of platforms, select all that apply. Click the Search button. In the Patch Search Results table: Locate the latest bundle patch (top of the list) and click the corresponding number.

5. 6.

Readme: Click the View Readme button to display the Release Notes, which you can print to review the list of bugs fixed, enhancements, and more. Download: Click the Download button to retrieve the packages.

11

7.

Bundle Patch Installation: See the 10g (10.1.4.3) Readme for all prerequisites, patch install, and post-patching instructions: oam_101430_readme.pdf.

6.2 Installing a Bundle Patch on Any Platform


This section describes how to install components in the bundle patch on any platform. The patch program (patchinst) is used for both bundle patch installation and removal. While individual methods and commands might differ depending on your platform, the overall procedure is the same.
Note:

When applying the bundle patch, you must log in as the same user who installed the base product.

The files in each bundle patch are installed into the destination directory. This enables you to remove (uninstall) the bundle patch even if you have deleted the original bundle patch files from the temporary directory you created.
Note:

Oracle recommends that you make a backup copy of your existing Oracle Access Manager components before you install this bundle patch. This enables you to restore your original environment if you choose to remove this bundle patch, later.

To install a bundle patch on any platform 1. Complete all activities in Section 6.1, "Preparing for Bundle Patch Installation on Any Platform".
2. 3.

Log in as the same user who installed the base product. Stop the Oracle Access Manager component to which you will apply this bundle patch (for example, stop the Identity Server service), and any application that uses this component. If the Oracle Access Manager component uses a Web server, turn it off. Back up the current Oracle Access Manager component installation directory; and back up any customized start_ois_server and start_aaa_ server startup scripts. Move the backup directory to another location and record this so you can locate it later, if needed. Open a command window.
Caution:

4. 5.

6. 7.

In the next step, you must use the patchinst program that is stored in the components binary parameter directory. Do not use the patchinst program that is stored in the message parameter directory.

8.

From the temporary directory that you created, locate the component-specific binary parameter directory. For example:

12

Oracle_Access_Manager10_1_4_3_0_BPnn_platform_Access_Server_binary_ parameter Linux: /home/10143BPnn /tmp/ Solaris: /opt/10143BPnn/tmp/ Windows: C:\10143BPnn\tmp\ In this example, the temporary directory where the bundle patch is extracted; and Oracle_Access_Manager10_1_4_3_0_BP01_platform_Access_Server_ binary_parameter refers to the bundle patch for the Access Server on the specified platform type.
9.

Run the bundle patch installation program using one of the following commands: Windows Systems: patchinst.exe All Unix Operating Systems: ./patchinst
Note:

You must install the bundle patch in the same location as the component to which it should be applied, for instance: installdir\identity or installdir\access.

10. When prompted, type the name of the directory where you want to install

the bundle patch. For example: C:\OAM\access C:/OAM/access


Note:

The .exe program applies the fix and creates a new directory that contains a backup of your earlier files. The command window displays a prompt when the fix is installed.

11. Restart the component to which you just applied this bundle patch, and

restart the Web server if it was turned off.


Note:

The patchinst program operates on one instance at a time. If you have multiple instances, you must repeat these steps for each instance.

12. Migrate customizations from your earlier start_ois_server and start_

access_server startup scripts to the latest version. For example:


a. b. c. d.

Locate your backed up customized start_ois_server script and open it in an editor. Locate the latest start_ois_server script and open it in an editor. Copy any customizations from your backed up script into the latest version and save the file. Repeat steps a through d with your customized start_access_ server script.

13

13. Repeat the Steps 1-12 to apply the bundle patch to other instances,

components, and platforms throughout your installation.

6.3 Failure During Bundle Patch Application


If there is a failure during your installation of the bundle patch, your original installation is restored automatically. You can check the window to see if you can discern the problem, then correct the problem and restart the bundle patch installation.

6.4 Uninstalling a Bundle Patch on Any System


The steps to remove a bundle patch from all systems are provided in the following procedure. While individual methods and commands may differ depending on your platform, the overall procedure is the same.
Note:

The patch program (patchinst) is used for both installation and removal of the bundle patch.

After unpatching, the bundle patch is removed and the system is restored to the state it was in immediately before patching.
Note: The unpatching process overrides any manual configuration changes introduced within an environment. These changes must be re-applied manually after unpatching.

Unpatching to remove a bundle patch is described in the following steps. To uninstall a bundle patch on any system 1. Stop the Oracle Access Manager component and any application connecting to NetPoint components.
2. 3. 4. 5.

Back up the Oracle Access Manager component installation directory (Identity Server for example). Move the backup directory to another location and record this so you can locate it later, if needed. If the Oracle Access Manager component uses a Web server, turn that Web server off. Open a command window and change to the component-specific binary parameter directory. For example: component_install_dir\<identity or access>\oblix\patch\101420BPnn\ Oracle_Access_Manager10_1_4_3_0_BPnn_platform_Access_Server_binary_ parameter The parameter directory in this example was installed with the bundle patch. In this example, component_install_dir is the directory where the component is installed; <identity or access> refers to either the Identity or Access System; 101420BPnn refers to the release and bundle patch number.

14

6.

Enter the unpatch command for your platform as shown below, then press Enter: Windows Systems: patchinst.exe -u All Unix Operating Systems: ./patchinst -u

7.

Type the full path to the component's installation directory and press Enter. For example: C:\OAM\access C:/OAM\access The bundle patch is now removed.

8.

Re-apply any manual configuration changes that were introduced within the environment; these were removed during the unpatching process.

7 Known Issues
Table 6 identifies any known issues with this bundle patch release.
See Also:

Oracle Access Manager Release Notes 10g (10.1.4.3.0) For All Supported Operating Systems E12496-02 for known issues with the full-installer release Oracle Access Manager Patch Set Notes, Release 10.1.4 Patch Set 2 (10.1.4.3.0) for All Supported Platforms for known issues with the patch set release
Known Issues in this Bundle Patch Base Bug Number 10009244 Description of the Problem Unable to access a resource against RSA Authentication Manager 7.1 SP2 in an Active Directory Forest multi-domain environment. RSA SecurID authentication with AD Forest multi-domain is currently not supported.

Table 6

Bundle Patch Number 10.1.4.3.0-BP04

15

Table 6 (Cont.) Known Issues in this Bundle Patch Bundle Patch Number 10.1.4.3.0-BP03 Base Bug Number 9570863 Description of the Problem As of April 16, Oracle certifies Sun Directory Server Enterprise Edition v7.0 (DSEE 7.0) for use with OAM 10.1.4.3. The following caveats apply: Caveats

During OAM 10.1.4.3 base release installation, there is no option to choose DSEE 7.0 as a directory server. However, you can select Sun Directory Server 5.x. You must use the workaround provided here rather than attempting to update the directory servers schema during OAM 10.1.4.3 installation. Otherwise, the following error occurs: Error 32: LDAP Invalid credentials. Or invalid directory type supplied. Or no such object

Workaround: Load the OAM schema and index using the bundled, command-line LDIF-Loader tool:
1.

Locate the required schema and index files in the following Identity Server or Policy Manager path: LDAP server instance hosting user data only: install_dir/identity|acces/oblix/ data.ldap/common/ iPlanet_user_schema_add.ldif iPlanet5_user_index_add.ldif LDAP server instance hosting user data and policy and/or configuration data, or only policy and/or configuration data only: install_dir/identity|acces/oblix/ data.ldap/common/ iPlanet_oblix_schema_add.ldif iPlanet5_oblix_index.ldif

2.

Use the bundled, command-line LDIF-Loader tool to load the schema and index.

16

Table 6 (Cont.) Known Issues in this Bundle Patch Bundle Patch Number 10.1.4.3.0-BP03 Base Bug Number 9324249 9463207 9394408 Description of the Problem Microsoft Active Directory 2008 is certified with only 10.1.4.3-BP02 and later releases, not with the OAM 10.1.4.3 base release. Single domain, multi-domain with disjoint search bases, and multi-domain login, ADSI, and multi-forest topologies were tested. Note: Only the full Active Directory mode is certified and supported. Neither upgrading from Active Directory 2003 nor operating in Active Directory 2003 compatibility mode is supported. OAM multi-forest support is limited to user data in one forest and policy and/or configuration data in another (more commonly known as split directory support). During OAM 10.1.4.3 base release installation, there is no option to choose Active Directory 2008 as a directory server. However, you can select AD 2003 and follow the following workaround to load the schema. Problem: Directory Server Password Changed Performing Policy Manager browser-based setup of cannot be completed if the directory server password is changed. Problem: Bind DN containing special characters The following issue can occur with both Active Directory 2003 and 2008. Performing Identity System browser-based setup of cannot be completed when the administartor name contains a special character (for example, my & test abc). A setup error is displayed: Unable to contact the DS. This may happen if DS is down or invalid credentials are provided. Workaround
1. 2.

Problems

An error occurs while trying to connect to the specified directory server (Domain server). You are unable to search the specified search base of the directory server (Domain server). Ensure that the computer on which OAM is being installed is pointing to correct DNS server. Correct DNS Settings: On the computer on which OAM is being installed, add an entry for your domain server in the <WINDOWS SYSTEM ROOT>\etc\hosts file.

Workarounds
1. 2.

17

Table 6 (Cont.) Known Issues in this Bundle Patch Bundle Patch Number 10.1.4.3.0-BP01 Base Bug Number 9170527 Description of the Problem With Internet Explorer 8, you cannot see any tab description or status on the browsers status bar. For example, from the Identity System Console go to User Manager Configuration, Tabs, Create. In the view panel, provide a Mouse Over Message (Test Panel, for example). Now, open the profile for any user, click View Panels, and move the cursor onto the configured panel. Expected Result: The browser status bar should display the message provided for the panel. Actual Result: The browser status bar does not show the message and instead displays: javascript:showpanel(tab156464646:2) Note: To see a tab description or status on the browsers status bar, use the lower version of Internet Explorer.

8 Fixes Included in This Cumulative Bundle Patch


This section includes the following topics:

Section 8.1, "Fixes Provided with Bundle Patch 10.1.4.3.0-BP04"

8.1 Fixes Provided with Bundle Patch 10.1.4.3.0-BP04


This bundle patch provides specific fixes for core components on all platforms. The latest bundle patch is cumulative and includes all fixes in all previous bundle patches for the specified product release, Oracle Access Manager 10g (10.1.4.3.0). Table 7 identifies the fixes in this bundle patch release.
Table 7 Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Base Bug Number Description of the Problem Solved 9804500 9711090 Resolves an issue when a Authorization Action had set obmygroups with an LDAP filter that returns no entries. By default, the caches managing authorization rules and authorization expressions have no timeout; authorization rules and expressions remain in the cache until explicitly flushed or until the Access Server is restarted. This release provides an option that sets the timeout for these caches to that of the Policy cache. The following parameter must be added to the globalparams.xml file of each Access Server to enable this behavior. <SimpleList> <NameValPair ParamName="usePolicyTimeoutForAuthzCaches" Value="true"></NameValPair> </SimpleList>

Bundle Patch Number 10.1.4.3.0-BP04 10.1.4.3.0-BP04

18

Table 7 (Cont.) Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Bundle Patch Number 10.1.4.3.0-BP04 Base Bug Number Description of the Problem Solved 9674866 Resolves a problem that occurred with OHS 1.3 WebGate on Windows used for integration with Oracle Application Server SSO, where under load the Apache.exe consumes CPU, in increments of 25%, until the computer freezes. The Oracle HTTP Server 1.3 for Windows had to be restarted to clear the problem. Resolves a problem that prevented Access Server and Policy Manger Access Tester from executing all authorization actions when evaluating some complex authorization expressions. Resolves an issue that caused the Identity Server and Policy Manager Diagnostic pages to show the second primary user data directory server was up when it was actually down. Resolves an issue where leading or trailing spaces were retained in a Policy Manager query string even you removed them during modification. Leading/trailing spaces are now removed from policy query strings in a policy domain during creation. 10.1.4.3.0-BP04 10.1.4.3.0-BP04 9467628 8870749 Resolves a problem that resulted in the Selector page being unusable for a Portal Insert. Adds support for RSA SecurID v7.1, as described in the updated chapter that accompanies this release: rsa_v7.pdf. See Oracle Technology Network (OTN) for: Updated Documentation: http://www.oracle.com/technology/software/p roducts/ias/htdocs/101401.html OAM 3rd Party Release Notes: http://www.oracle.com/technology/software/p roducts/ias/htdocs/101401_3rdparty_ readme.pdf 10g WebGate/AccessGate Package List: http://www.oracle.com/technology/products/i d_mgmt/coreid_acc/pdf/oam_3rd%20party_ oracle_integrations_package_list.xls 10.1.4.3.0-BP04 8839816 Resolves an issue that occurred in audit logs, where the date and GMT offset are correct, but the time is GMT+1. According to the Oracle Access Manager Access Administrator's Guide: "The time is always the GMT time on the host that received the request, followed by the host's offset from GMT". With the Time Zone set to GMT (with auto-adjust for daylight savings time) and a Master Audit Rule that includes the date and time, the Access Server event log shows: Before the Fix: *07:36:47 +0100 * After the fix: *06:36:47 +0100 * 10.1.4.3.0-BP04 7283121 Resolves an issue where the OAM incorrectly calculated the time zone difference, which caused the wrong time to be stored for success during authentication attempts.

10.1.4.3.0-BP04

9568796

10.1.4.3.0-BP04

9532536

10.1.4.3.0-BP04

9477704

19

Table 7 (Cont.) Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Bundle Patch Number Base Bug Number Description of the Problem Solved

10.1.4.3.0-BP03

9431910

Resolves an error during modification of a Challenge Response that could result in a page that failed to display the Challenge Question. This occurred If the challenge question field was 'read-only' according to the ACL. A failure during modification of the response resulted in an error page and modification screen that lacked the question field value. Workaround Configure the Challenge Question to be modifiable by the user.

10.1.4.3.0-BP03

9234857

Resolves an issue that caused the Access Server to raise an ObAMException when fetching a policy domain for the root URL "host:port/". ObAMException: Access Test contains an invalid URL With this fix, both "host:port" and "host:port/" are valid for the root URL.

10.1.4.3.0-BP03

9081944

Resolves an issue that caused changes to the User Cache configuration for the Access Server to not take affect. The Access Server was, instead, using default cache configuration options. A new parameter, EnableAuditToDatabase, for globalparams.xml resolves an issue that occurred when an Oracle_OCI database connection was configured for audit data but Audit to DB was off on Access and Identity Server configuration pages. The servers attempted to connect to the database (despite auditing being switched off), and became unresponsive. Possible values: true or false A value of false avoids establishing connections when the DB profile is enabled and Audit to Database is Off in the configuration. To add the parameter
1.

10.1.4.3.0-BP03

8474555

Locate the servers globalparams.xml file in: install_ dir/oblix/apps/common/bin/globalpams.xml

2.

Add the parameter and value to the file. For example: <NameValPair ParamName="EnableAuditToDatabase" Value="false" />

3.

Restart the server.

10.1.4.3.0-BP02

9387735

Resolves an error that occurred after upgrading and after clicking a WebGate name on the AccessGate page. Error! An error has occurred in the product...

20

Table 7 (Cont.) Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Bundle Patch Number 10.1.4.3.0-BP02 Base Bug Number Description of the Problem Solved 9340622 Resolves an issue with passthrough functionality on the SunOne WebGate. ObRequestedURL was missing from the login form POST action on the SunOne Web server. Note: You must disable SlowFormLogin in the WebGate configuration for this fix to operate properly. 10.1.4.3.0-BP02 10.1.4.3.0-BP02 9336472 9311019 Resolves a redundant LDAP search that occurred when acquiring Access Server cluster information. Resolves an issue with slow downloads with WebGates enabled for IIS Web servers. Using Windows IIS v6.0 Web server, you might experience decreased performance. This is most noticeable when serving large pages and files, even if those resources are unprotected. This patch includes a new user-defined parameter that you can add to your WebGate configuration: IISResponseOptimize True After applying the bundle patch:
1.

From the Access System Console, open the WebGate configuration page: Click Access System Configuration, click AccessGate Configuration in the navigation panel, then click the WebGate name.

2.

In the User Defined Parameters section, enter the following: Parameter: IISResponseOptimize Value: True

3. 4. 5.

Click Save. Wait at least one minute for the change to propagate to the WebGate configuration file. Restart the IIS Web server.

10.1.4.3.0-BP02

9280143

Resolves an issue that caused an internal error message (500) when accessing a certificate-protected resources if the browser contains an idle- or max-session expired cookie. This could occur even when the browser sent a valid certificate to WebGate. This is now fixed. Resolves an issue that occurred when a URL is passed to the Authenticating WebGate as a Query String or as a FormLoginCookie, which caused the resource WebGate to look for an unavailable or an incorrect resource. Resolves an issue that caused authentication schemes using the "External Call" feature to fail sporadically. Resolves an issue that prevented certain fields from forgoing encoding during URL construction. This fix allows certain fields to forgo encoding during URL construction.

10.1.4.3.0-BP02

9171634

10.1.4.3.0-BP02 10.1.4.3.0-BP02

8924818 8886568

21

Table 7 (Cont.) Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Bundle Patch Number 10.1.4.3.0-BP02 Base Bug Number Description of the Problem Solved 8747664 Resolves an issue that caused Oracle Access Manager to use URL encoding on a header name when the header was displayed in the browser. Spaces were URL- encoded as %20. This fix works in the same manner for both out-of-the-box WebGates and custom AccessGates (created using the ASDK). 10.1.4.3.0-BP02 8407259 Resolves a connection management issue that caused Domino WebGates to require rebooting several times daily. This does not occur when you use a new user-defined WebGate parameter MaxPostDataLength, which requires a value within the range of 100 bytes to 0.75MB. With MaxPostDataLength parameter set, POST data length is limited to the specified size. Oracle recommends that you do not set the value to less than 100. By default, or if this parameter is set to a value beyond the specified range, POST data length is limited to the default size of 0.75MB. Like other user-defined WebGate parameters, MaxPostDataLength is optional. To use it, just add it to the WebGate Configuration page in the Access System Console. 10.1.4.3.0-BP02 8269698 Resolves an issue with the WebSphere Application Server TAI implementation that caused a null pointer exception if ObSSOCookie is not present in the request. Now, the isTargetInterceptor method returns False if a ObSSOCookie is not found; true if ObSSOCookie is found.

10.1.4.3.0-BP01

9150481

Resolves an issue where a fix for substituting a protected URL's forward slash with URL-encoded slash (%5C) resulted in a bypass of protection and caused all back slashes in a URL to be replaced with forward slashes. Policies that depend on a back slash in the query parameters would fail Resolves an issue where tickets locked by one user can be processed by another user. Resolves an issue that resulted in a failure to delete all login cookies after multiple successful login and logout attempts. For instance, after successfully accessing a protected resource and logging out, the same login page would appear again. Resolves an issue that caused incorrect authentication when you had duplicate userIDs across two or more different user directories, and custom plug-ins in the authentication scheme. Chained authentication (authentication schemes using multiple credential_ mapping steps in the same flow) returned the incorrect user DN and ObSSOCookie. Resolves an issue with Policy Manager for Apache 2.2 Web server on Linux, which was unable to update the httpd.conf file because the apache_access.template file was missing.

10.1.4.3.0-BP01 10.1.4.3.0-BP01

9058606 8871282

10.1.4.3.0-BP01

8867628

10.1.4.3.0-BP01

8859196

22

Table 7 (Cont.) Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Bundle Patch Number 10.1.4.3.0-BP01 Base Bug Number Description of the Problem Solved 8835486 Resolves an issue that caused the Access Server to produce a core dump regularly during performance testing, with many errors related to the SQL Adapter in the Access Server oblog file. Resolves an issue that prevented users whose DNs contain a comma that is escaped with "" from authenticating. Work Around for Oracle Internet Directory: Modify the DN of the user in question to escape the comma using \ instead of "". 10.1.4.3.0-BP01 8778028 Resolves an issue that caused the Oracle Access Manager SNMP Agent to return incorrect values or no values at all. The Fusion Middleware Enterprise Manager Console did not show any metrics for the directory server (number of live connections) or the average service time per request. Resolves an issue that cause the Windows version of Access Server to have a large amount of memory overhead when handling client connections. This resulted in instability, such as crashing or hanging when the access server handled more than 1600 client connections. In this case, the Windows Event log reported an error similar to the following: Application popup: aaa_server.exe - Application Error : The instruction at "0x7c81bd02" referenced memory at "0xdb17105d". The memory could not be "read". 10.1.4.3.0-BP01 8723065 Resolves an issue that prevented a proper view of the policy domain list, when LIMITAMPOLICYDOMAINRESOURCEDISPLAY is set to true in globalparams.xml. Resolves an issue that allowed user access upon successful login after failed login attempts with an incorrect password exceeded the specified "Number of login tries allowed" in the password policy. The user should have been locked out when attempts exceeded the "Number of login tries allowed. Resolves an issue that occurred when using an RSA plug-in as part of the authentication process and a userID was greater than 24 characters. OAM-SecurID authentication would fail. This is now fixed. UserIDs of greater than 24 characters are allowed with the RSA authentication plug-in. 10.1.4.3.0-BP01 8612152 Resolves an issue that occurs when the requested URI contains a blank space character. A challenge redirect failure occurs after successful authentication. Resolves an issue with the RSA BSAFE CRYPTOC-C Developer Toolkit that addresses the "CPU ID unknown" problem. When the CPU id is not recognized, the code would originally fallback to the 386 optimization code, which was broken. With this fix, the code defaults to the C source when CPU id unknown".

10.1.4.3.0-BP01

8797457

10.1.4.3.0-BP01

8724017

10.1.4.3.0-BP01

8672661

10.1.4.3.0-BP01

8612360

10.1.4.3.0-BP01

8533325

23

Table 7 (Cont.) Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Bundle Patch Number 10.1.4.3.0-BP01 Base Bug Number Description of the Problem Solved 8514857 Resolves an issue that caused an exception during WebGate initialization when a URL string ends in % (%25, for example). Resolves an issue where the User Selector sometimes fails when modifying an authorization rule's 'Allow' or 'Deny' field to add users or groups to the list. The following error would appear in the Policy Manager log and the user might encounter an error message in the browser: bad request method Affected User Manager and Policy Manager with Apache 1.3 and OHS Web servers. 10.1.4.3.0-BP01 8494851 Resolves an issue that occurred when integrating with ASP.net. When the same value was passed to HeaderVar and OblixHttpModule, the OblixHTTPModule was empty while HeaderVar displayed properly. For ASP.NET integration, the OblixHTTPModule Headers must be set properly:

10.1.4.3.0-BP01

8499305

Before this fix, documentation specified setting the OblixHTTPModule Header as follows: Type Name Value OblixHttpModule Role manager OblixHttpModule Role guest_user After this fix, you must specify the OblixHTTPModule Header in the following manner: Type Name Value OblixHttpModule Role1 manager OblixHttpModule Role2 guest_user

10.1.4.3.0-BP01

8462655

Resolves an issue that causes Keygen tool core dumpt if the specified installation directory is an an incorrect level. Resolves an issue with Keygen tool usage, where text says that the default key length is 256 bits yet only a 128 bit key is generated. Resolves a decrypt error that occurs when setting the attribute plug-in to use lower key lengths. Resolves a decrypt error that occurs when setting the attr plug-in to use lower key lengths. LD_LIBRARY_PATH Must be set when using Keygen.

8462354

8458994

8452371

10.1.4.3.0-BP01

8440517

Resolves an issue that occurs when using ADAM 2003 as a user directory. After patching the Identity Server and WebPass to 10g (10.1.4.2.0), unsubscribing a group member might not work.

24

Table 7 (Cont.) Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Bundle Patch Number 10.1.4.3.0-BP01 Base Bug Number Description of the Problem Solved 8428450 This release includes a new user-defined WebGate configuration parameter, maxSessionTimeUnits, that allows the MaxSessionTime parameter to be interpreted as a number of minutes instead of the default (hours). This new parameter resolves a problem that caused Access Servers in a clustered environment to suddenly fail. Some firewalls forcefully disconnect Access Server connections over a certain age or idle time, which causes a resource leak in the Access Server. If you are affected by this issue, but unable to modify firewall time-out settings, you can use maxSessionTimeUnits to remedy the problem. The effect of lowering Maximum Client Session Time does increase the frequency with which access clients close and re-open connections to the Access Server, which increases network traffic. Therefore, the maxSessionTimeUnits value should be as high as possible within the limits of the firewall settings. Note that the MaxSessionTime field still reads "(hours)", however, the presence of the maxSessionTimeUnits parameter causes the Maximum Client Session Time (hours) to be interpreted in minutes. To enable this option
1.

From the Access System Console, click Access System Configuration, then click AccessGate Configuration. Select the search attribute and condition from the lists, or select All to find all AccessGates, then click Go. Click the name of the AccessGate to modify. Click Modify. Locate User-Defined Parameters and add the following parameter and value: maxSessionTimeUnits minutes Click Save to save your changes.

2.

3. 4. 5.

6.

10.1.4.3.0-BP01 10.1.4.3.0-BP01

8402314 8400834

Resolves an Access Server crash that could be triggered by passing bad DN strings to the authz_attribute plug-in. Resolves an issue that occurred with servlets that use the Access Manager SDK inside a Web server such as WebLogic. During load conditions. the SDK crashes with an illegal memory access error that causes the JVM. Resolves an issue that caused the Access Server to leak memory when communication with a Web component was Simple mode and SSL was enabled. Resolves an issue that might prevent failover when a directory server that has an SSL connection with Oracle Access Manager hangs.

10.1.4.3.0-BP01

8374638

10.1.4.3.0-BP01

8373039

25

Table 7 (Cont.) Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Bundle Patch Number 10.1.4.3.0-BP01 Base Bug Number Description of the Problem Solved 8348444 Provides a work around for use when Photo attributes cannot be modified when we modify user in the Panel view. Known Issue: In such cases, file inputs are moved, not copied. Inputs are lost if 'Cancel' is used in a Save Confirmation pop-up. Workaround:
1. 2. 3. 4. 5.

Click Cancel on the current page. Click Modify on the current page. Select the image path using the Browse button. Click the Save button. Click OK.

10.1.4.3.0-BP01 10.1.4.3.0-BP01

8339614 8283475

Resolves an issue that caused Access Server core dumps if a non-existent policy node was referenced. Resolves an issue that occurred when the command OPTIONS * HTTP/1.0 was issued as part of an application, and an error was raised. Now, HTTP commands like OPTIONS * ... function correctly. Note: WebGate is affected and must be patched.

10.1.4.3.0-BP01

8261373

Resolves an issue that caused a request for authorization to fail when you have leading or trailing spaces in an authorization expression. For example: " name_with_ spaces ". When the API encountered authorization rules with spaces, it would fail. Now, leading or trailing spaces are removed during Authorization Rule creation.

10.1.4.3.0-BP01

8242909

Resolves a memory leak that resulted in production Access Server crashes after a period of load. Resources were protected using the Anonymous Authentication scheme with "Deny on not protected" set and the user store was Microsoft Active Directory. Resolves an issue that prevented setting an attribute in a reactivation or deactivation workflow as "REQUIRED". Instead, such attributes were marked as optional and processing could occur without providing the "REQUIRED" information. Resolves a problem that causes WebPass to delete a variable owned by the Apache Web server, which resulted in a core dump. Resolves an issue that caused adding URL resources to a policy domain to be extremely slow once the Add button was clicked. The issue also impacted performance during user login.

10.1.4.3.0-BP01

7834026

10.1.4.3.0-BP01

7718451

10.1.4.3.0-BP01

7704723

26

Table 7 (Cont.) Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Bundle Patch Number 10.1.4.3.0-BP01 Base Bug Number Description of the Problem Solved 7682083 Resolves an issue that occurred when Oracle Access Manager was integrated with Oracle Identity Federation. The issue caused the following error in the Access Server authz_attribute_plugin_log.txt file when the Access Server Authorization plug-in generated the SOAP AttributeRequest: Received SOAP response ERROR: Incorrect response: No XML document; Response Evaluating rule expression attribute1="ValueA" Evaluated attribute1 = "ValueA"; result = false The Access Server did not send the SOAP request for the attribute to Oracle Identity Federation and the message log (federation-msg.log) was not updated with any request or response. 10.1.4.3.0-BP01 7655194 Resolves a problem that did not provide logging statements after a call to the SetLastDBErrorString() function. Logging statements have been added. The fix enables WARNING-level logging for the Identity Server. If the modify password operation fails, the following string should appear in the oblog.log file: For Active Directory: DB::Agent::ObLDAP::ObAD::ChangePassword For ADSI: DB::Agent::ObLDAP::ObADSI::ChangePassword 10.1.4.3.0-BP01 7554312 Resolves the problem of the Oracle-provided attribute-sharing authorization plug-in not supporting load balanced, clustered Access Servers. This release contains a modified version of the Attribute Sharing Plug-in and a utility called Keygen. Keygen is provided with the Access Server in oblix/tools/keygen. Using Keygen enables you to achieve load balancing support while using the attribute sharing plug-in. Key.xml is a new file that can be generated using keygen. Documentation is provided in config.xml within oblix/config/attributesharing. For more information, see Knowledge Base article #849016.1 on My Oracle Support (Formerly MetaLink) at: http://support.oracle.com 10.1.4.3.0-BP01 7462408 Resolves an issue that occurred a user violated a password policy, which resulted in being unable to set the new password during a workflow. Resolves a problem that caused the Access Server Cluster configuration to be deleted from the associated WebGate. Resolves a problem where X509 Certificate authentication failed while extracting the "certSubject.DN" from the user certificate of the credential_mapping plug-in within the authentication scheme.

10.1.4.3.0-BP01 10.1.4.3.0-BP01

7236883 7227822

27

Table 7 (Cont.) Details of Cumulative Bundle Patch 10.1.4.3.0-BP04 Bundle Patch Number 10.1.4.3.0-BP01 Base Bug Number Description of the Problem Solved 7201044 Resolves a problem that causes Japanese Local date to appear in an unacceptable format (month/dd/yyyy) on "Password Expiry Warning Notice". Acceptable Japanese format (in English) is yyyy<displaying the character for year>MM<displaying the character for month>dd<displaying the character for date>. Resolves a problem in the Mail interface from the Identity Server where Content-Transfer-Encoding was not RFC2045 compliant. Previously, when Oracle Access Manager was configured to send an email on password change, the email that was sent contained a typo in the header (Content-Transfer-Encoding line) as follows Content-Transfer-Encoding: : 8-bit Spam gateway filters blocked the email messages, tagging them as Malformed Mime. This is now fixed and the header (Content-Transfer-Encoding line) now reads as follows: Content-Transfer-Encoding: : 8bit

10.1.4.3.0-BP01

5980473

9 Documentation Issues
This section provides the following topics:

Section 9.1, "Documentation Issues Resolved in Bundle Patch 10.1.4.3.0-BP04" Section 9.2, "Known Documentation Issues Announced with the Patch Set"

9.1 Documentation Issues Resolved in Bundle Patch 10.1.4.3.0-BP04


Table 8 identifies the documentation issues have been identified in Oracle Access Manager 10g (10.1.4.3.0) manuals. These books will not be updated.
Table 8 Bug 6142166 10g (10.1.4.3) Documentation Issues Resolved with this Bundle Patch Description User-Defined WebGate Parameter to Harden Oracle Access Manager information is missing from the Oracle Access Manager Access Administration Guide chapter on "Configuring WebGates and Access Servers." See Also: "Details of Bug 6142166" on page 33.

28

Table 8 (Cont.) 10g (10.1.4.3) Documentation Issues Resolved with this Bundle Bug 8462464 Description The following new item should be added to the Troubleshooting chapter of the Oracle Access Manager Access Administration Guide: Misleading Authorization Error in Access Server Log File Problem: In the oblog file for one of the Access Servers in a load balanced configuration, the following warning can appear: Warning ... "Error while evaluating the rule" ... RuleID^ ... Error returned is ^Authorization evaluation returned Need more info as the return code ... Solution: This is a valid behavior. It is common for Access Server to return a "Need More Info" return code when it does not have information required for authorization. When WebGate sends an authorization request, it does not send the SubjectDN. When the Access Server responds with a "Need More Info" return code, the required information is identified. The next WebGate request provides the required information (for instance, the value of SubjectDN), and authorization succeeds. 8394871 The example of a configured Identity Server failover.xml file on page 4-16 of the Oracle Access Manager Deployment Guide, should be renamed and include the following information: New Name: Example: Identity Server failover.xml Added Information: The example on page 4-16 illustrates an edited Identity Server failover.xml file. This finished example does not exactly match the Oracle-provided sample in install_dir/oblix/config/ldap/sample_failover.xml. The Oracle-provided sample_failover.xml file includes a primary LDAP server section that should be removed when configuring secondary LDAP servers for failover. The primary LDAP server section includes: #Specify the list of all primary ldap servers here --> - <ValList xmlns="http://www.oblix.com" ListName="primary_server_list"> <ValListMember Value="prim_ldap_server" /> </ValList> ... Specify the details of each primary ldap server here - <ValNameList xmlns="http://www.oblix.com" ListName="prim_ldap_server"> .... If the primary LDAP server section is not removed, Oracle Access Manager can, in certain circumstances, access the primary LDAP server twice. Note: No primary LDAP server should be specified in the failover.xml file.

29

Table 8 (Cont.) 10g (10.1.4.3) Documentation Issues Resolved with this Bundle Bug 8488384 Description Several component notations should appear in Step 5 of the procedure, "To order the WebGate ISAPI filters" in the Oracle Access Manager Installation Guide: 5. Confirm the following .dll files appear. For example: cert_authn.dll webgate.dll oblixlock.dll transfilter.dll 8898247 (WebGate) (WebGate) (Policy Manager) (WebPass)

The following should appear in the WebGate chapter, "Installing postgate.dll on IIS Web Servers" of the Oracle Access Manager Installation Guide: Following WebGate installation, you might need to install the postgate.dll manually. The Web page that opens at the end of a successful installation provides steps that ask you to configure postgate.dll and IIS in isolation mode. This is optional.

8884619

The noOfFields element is in the wrong location in the sample code of the "Search Parameters" section of the Oracle Access Manager Developer Guide: Incorrect: ... <oblix:SearchParams> <oblix:noOfFields>2</oblix:noOfFields> <oblix:Condition> ... Correct ... <oblix:Params> <oblix:noOfFields>2</oblix:noOfFields> <oblix:SearchParams> <oblix:Condition> ...

8537834 8582575

The following information should appear in the Troubleshooting chapter of the Oracle Access Manager Installation Guide: Problem On Linux, you cannot specify the same WebGate installation destination used by another WebGate. If you do, the installer returns to the command prompt. The directories of other Identity Management Suite components (Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Federation) can be cleaned up by running the command rm rf* after killing the processes on Linux. However, you cannot this command does not work with Oracle Access Manager. Solution
1. 2. 3.

Remove the WebGate using the uninstaller in the _uninstWebGate directory. Delete any remaining files in the installation directory manually. Restart the WebGate installation and specify a different destination directory.

30

Table 8 (Cont.) 10g (10.1.4.3) Documentation Issues Resolved with this Bundle Bug 8845697 Description The Oracle Access Manager Developer Guide refers to out-of-date filenames netlibmsg.lst and ObAccessClient.msg. These should instead be netlibmsg.xml and ObAccessClient.xml, respectively. Both of these files reside in the installation path ...\oblix\lang\en-us under the ASDK installation directory. Note: This ObAccessClient.xml file contains response messages and performs a different function from the file with the same name located in the \oblix\lib directory (which contains the AccessGate's configuration and is not just an example as implied in the section describing files in the \lib directory. 8845145 The following information should appear in the Troubleshooting chapter of the Oracle Access Manager Access Administration Guide: Problem The Policy Cache Timeout parameter has no affect on modifications to authorization rules because these rules are stored in a different cache. Configuration options for the authorization rule cache are not available in the System Console nor the Access Server configuration schema. Solution Always check the Update Cache box to flush the cache when modifying authorization rules and expressions. 8985683 The following information should appear in the Troubleshooting chapter of the Oracle Access Manager Access Administration Guide: Problem Resource can become unprotected if you have the same host:port in multiple host identifiers. Solution Ensure that only the host identifier used in the policy domain has the host:port in its definition. Remove host:port from other host identifiers. 8995163 The following information should appear in the Troubleshooting chapter of the Oracle Access Manager Access Administration Guide: Problem After setting up Policy Manager and logging in as a Master Administrator, the following error might occur: There was a problem obtaining the user ID. One possible reason for this is a time difference between the Identity System and Access Systems (Policy Manager and Access System Console). Solution
1. 2. 3.

Go to the directory server and make a back up copy of the cookie encryption entry under the o=oblix node in an ldif file. Delete the cookie encryption key under the o=oblix node (without touching the CPResponseEncryptionKey). Restart the Identity Server.

31

Table 8 (Cont.) 10g (10.1.4.3) Documentation Issues Resolved with this Bundle Bug 9071408 Description The following correct information should replace incorrect details in the procedure "To create an AccessGate instance" in the "Configuring WebGates and Access Servers" chapter of the Oracle Access Manager Access Administration Guide: Incorrect 7. Maximum Client Session Time: Specify the connection maintained to the Access Server by the AccessGate. If you selected Open in the Transport Security field, this field is ignored. Correct For all the three security modes (Open, Simple, or Cert), Max Client Session Time handling is same. 9084059 The following changes are required in all Oracle Access Manager manuals and notes: Problem 1 Sample code no longer gets bundled with any package after 10.1.4.3 release Solution 1 Ignore all references to sample code directories in manuals and notes. Problem 2 Some interface files for the Access Server have been moved from the sample directory. This changs the existing directory structure for the Access Server. Solution 2 Note the location changes for the following files: authn_api.h, From: oblix/sdk/authentication/samples/authn_api/include/authn_api.h To oblix/sdk/authn_api/authn_api.h as_plugin_utils.h, From: oblix/sdk/authentication/samples/authn_api/include/as_plugin_utils .h To oblix/sdk/authz_api/as_plugin_utils.h authz_plugin_api.h, From: /oblix/sdk/authorization/samples/authz_api/include/authz_plugin_ api.h To oblix/sdk/authz_api/authz_plugin_api.h

Details of Bug 6142166 Details of the user-defined WebGate parameter to harden Oracle Access Manager is missing from the Oracle Access Manager Access Administration Guide chapter on "Configuring WebGates and Access Servers." The details are provided here.

32

User-Defined WebGate Parameter to Harden Oracle Access Manager You can add a new multi-valued user-defined WebGate configuration parameter, SSODomains" to define specific, legitimate Web servers within the OAM deployment to which the session token can be sent. If a Web server is not listed in the SSODomains parameter, WebGate does not redirect information to the Web server. Each value in the SSODomains parameter describes one or more Web servers. The SSODomains parameter is intended to provide a relatively short list of specifications using domain names and IP addresses with wildcards that cover all of the installation's Web servers. Adding details for each individual Web Server is possible, but is not easily managed. Syntax: ssoDomains = ssoDomainSpec | ssoDomains ssoDomainSpec
Parameter: ssoDomains Value: ssoDomainSpec | ssoDomains ssoDomainSpec

You can specify the host as a fully-qualified domain name (the preferred form), an IP address, or a partially-qualified or unqualified domain name. The instance, IP addresses and domain names can be used. Partially-qualified and unqualified domain names can be be specified as domainSpecs. Table 9 explains the syntax ID and values. Several guidelines follow this table for more information.
Table 9
Syntax ID ssoDomainSpec domainSpec domain

ssoDomains Syntax Description


Definition domainSpec | ipSpec domain[:port] domainName | domainName.domain The usual DNS name: alphanumeric characters, plus - or _ and so on. mydomain:8000 mydomain my_domain my-domain my-domain.uk.com Sample Value

port ipSpec ipPart

1 to 5 digits ipPart.ipPart,ipPart,ipPart[:port] ipComponent | ipWildCard

7001 130.35.12.45:7001

ipComponent ipWildCard

1 to 3 digits *

130.... 130.35.*.*

These specs accept any Web server host in the company.com or subsidiary.com domains, or IP addresses beginning with 130.35 or 130.36. In addition, the unqualified target host name is allowed. For each speification within the SSODomains value, the following WebGate processing applies:

Ports: If the specified entity has a port, it must match the host port. If the host does not have an explicit port, the default (80 for http, 443 for https) is used. IP Address: If the host is an IP address and the spec is an ipSpec, WebGate matches each ipPart of the host and spec (from left to right). A wild card,

33

asterisk (*), can be used in the IP address. For example, specifying an IP address of 130.35.*.* matches a host of 130.35.12.45 (but not 130.36.12.45).

DNS Name: If the host is a DNS name and the spec is a domainSpec, WebGate matches each domainName of the host and spec (from right to left), until the spec is completely matched. For example, a spec of company.com matches target.company.com and target.us.company.com (but not www.badsite.com). WebGate continues processing until a spec matches the host or until all specs have been tested.

SSODomains Behavior Earlier WebGate behavior is the default: WebGate redirects to the Web server. To harden Oracle Access Manager, you must configure SSODomains on the WebGate configuration page.

If SSODomains is not specified, the host always matches and default WebGate behavior occurs (information is redirected to the Web server). If SSODomains is included but the value is empty, then the host never matches. This allows you to specify that a WebGate will not service any requests. Oracle recommends this for all WebGates that are not intended to be authentication servers (as indicated by authentication scheme challenge redirect URLs).

The burden of covering all hostname variations in the SSODomains parameter can be lessened by configuring Preferred HTTP Hosts for the target WebGates. If SSODomains is also configured for the target WebGate (preferably with no domains to prevent the WebGate from being used for authentication), the target WebGate will use the preferred host. Consequently the SSODomain for the authenticating WebGate only needs to cover the domains for the preferred hosts. One good strategy is to include in the SSODomains specs the Primary HTTP Cookie domains defined for each configured WebGate, on the theory the ObSSOCookie will be available to every Web server in those domains. If the request does not match any spec in the SSODomains, WebGate will return the following error:
Bad Oracle NetPoint Request

WebGate will also log a WARNING with the SSODomains values. This means that either someone, potentially an attacker, is misusing the URL, or a legitimate redirection is not adequately covered by the SSODomains parameter.
"The rh parameter of a received /obrareq.cgi URL is not allowed by the WebGate's SSODomains parameter"

9.2 Known Documentation Issues Announced with the Patch Set


Table 10 repeats issues in the documentation and workarounds that were made available with the 10g (10.1.4.3) patch set release. These books will not be updated.

34

Table 10 Bug N/A

Known Issues in Oracle Access Manager 10g (10.1.4.3) Documentation Description Within the Oracle Access Manager manuals, references to the 10g (10.1.4.3) installers download site are incorrect. The correct site is shown here. Correct: http://www.oracle.com/technology/software/products/middl eware/htdocs/111110_fmw.html

N/A

Within Oracle Access Manager manuals, references to the Oracle Access Manager software categories and Readme on the installer download site are incorrect. Correct: Access Manager Core Components 10g (10.1.4.3) Access Manager WebGates 10g (10.1.4.3) Policy Manager and WebPass on Third Party and non-OHS 11g Web Servers Access Manager Language Packs 10g (10.1.4.3) GCC Libraries More Info + Note: There is no general Readme file; instead Click the plus icon, +, beside More Info + to learn more about the component packages in the Core Components and WebGates categories.

N/A

Within Oracle Access Manager manuals, references to the 10g (10.1.4.3) documentation download site are incorrect. The correct site is shown here. Correct: Oracle Access Manager Online Documentation Libraries: http://www.oracle.com/technology/documentation/oim1014.h tml E15217-01 ... Oracle Access Manager 10g (10.1.4.3) Online Documentation Library E10761-01 ... Oracle Access Manager 10g (10.1.4.2.0) Online Documentation Library B28196-01 ... Oracle Identity Management 10g (10.1.4.3.0) Online Documentation Library

8636800

The Oracle Access Manager Installation Guide chapter on troubleshooting provides broad guidelines for tuning httpd.conf directives for Oracle HTTP Server 11g or Apache v2 with Oracle Access Manager 10g (10.1.4.3).

35

Table 10 (Cont.) Known Issues in Oracle Access Manager 10g (10.1.4.3) Bug 5752513 Description The Oracle Access Manager Developer Guide incorrectly states the locations of several samples, as follows:

authn_api.h: This file contains definitions of the set of utilities that the Access Server provides to all authentication plug-ins and definitions of the API data and functions. From: oblix/sdk/authentication/samples/authn_api/include To: oblix/sdk/authn_api/ as_plugin_utils.h: This file defines a set of utilities that the Access Server provides to all authorization plug-ins. authz_plugin_api.h defines the API data and functions, and includes the other header file From (UNIX): oblix/sdk/authorization/samples/authz_ api/include From (Windows): oblix/sdk/authorization/samples/include To (Both Platforms): oblix/sdk/authz_api/ authz_plugin_api.h: This file defines the API data and functions, and includes the other header file. From (UNIX): oblix/sdk/authorization/samples/authz_ api/include From (Windows): oblix/sdk/authorization/samples/include To (Both Platforms): oblix/sdk/authz_api/

8279704

The Oracle Access Manager Access Administration Guide section "Securing the ObSSOCookie in an Authentication Scheme" instructs you to specify a challenge parameter: ssoCookie:httponly. However, ssoCookie:httponly and ssoCookie:secure might have been misstated in the guide. Note: Together, ssoCookie:httponly and ssoCookie:secure in the challenge parameter of the Authentication scheme secure the ObSSOCookie. The challenge parameter is case-sensitive. Be sure to enter an uppercase C in ssoCookie.

ssoCookie:httponly is enabled by default to ensure that the ObSSOCookie is not accessible to client side scripts such as JavaScript. This parameter can be disabled by specifying ssoCookie:disablehttponly in the authentication scheme. ssoCookie:Secure must be added to the challenge parameter of an Authentication scheme to ensure that an ObSSOCookie is not set when a resource is accessed using HTTP under a secure network. The cookie is set only when the resource is accessed through HTTPS. Note: Be sure to enter an uppercase S in Secure.

The ssoCookie: challenge parameter can contain multiple values separated by a semicolon (;). For example, to send the ObSSOCookie over an SSL connection while allowing access to the ObSSOCookie through client side scripts, you can set ssoCookie:Secure;disablehttponly as the challenge parameter. Note: ssoCookie:max-age is another general cookie attribute supported by Oracle Access Manager. This attribute creates a persistent cookie in some browsers (Internet Explorer and Mozilla), rather than a cookie that lasts for a single session. In the challenge parameter for the Authentication scheme, add the following information based on the needs of your environment: ssoCookie:max-age=time-in seconds For more information, see "Retaining the ObSSOCookie Over Multiple Sessions" in the Oracle Access Manager Access Administration Guide.

36

Table 10 (Cont.) Known Issues in Oracle Access Manager 10g (10.1.4.3) Bug 8443139 Description Setup: An Apache-based Web server is configured as a Reverse Proxy, and a proxy for Web server root "/" is added in the httpd.conf. You can access all the resource Web server URLS through the Reverse Proxy host-port details. If the Lost Password Management (LPM) setting is enabled on the Reverse Proxy WebGate environment, the flow behaves through Reverse Proxy access. If a user's password has been reset, the user is asked to change the password. During the flow, the backURL is picked up by the WebGate of the back-end resource WebGate. Also, upon completing the change password or set challenge responses flow, the user is sent to the backURL (of the resource WebGate). Problem: The backURL is fetching the value of the back-end resource WebGate. Also, upon successful completion of the change password or set challenge/response flow for lost password management (LPM), the user is sent to the backURL of the resource WebGate. Required Configuration: In a Reverse proxy environment, the backURL should not be set to the actual resource Web source because this can lead to the disclosure of back-end WebGate details. 7667220 The Oracle Access Manager Installation Guide chapter "Configuring Apache v1.3-based Web Servers for Oracle Access Manager" contains incorrect information in Step 5 of the procedure "To tune Oracle HTTP Server for Oracle Access Manager Web components". Incorrect: 5. In httpd.conf file on the Policy Manager, comment-out the following lines: #LoadModule perl_module modules/mod_perl.so #LoadModule php4_module modules/mod_php4.so Correct: 5. In httpd.conf file on the Policy Manager, comment-out the following lines: #LoadModule perl_module libexec/libperl.so #LoadModule php4_module modules/libphp4.so 8437838 The Oracle Access Manager Identity and Common Administration Guide information on password policy qualification is not explicit with regard to the role of filters. Incorrect: A user can qualify under more than one policy in a domain. In this situation, password policies are evaluated in a bottom-to-top order. The first policy that applies to the user is selected, as illustrated in Figure 7-1. Problem: The example used assumes that no filters are used in the password policies. Correct: Additional language should be added to address the use of password policies that have filters. N/A When viewing an HTML version of the Oracle Access Manager Integration Guide, the chapter on integrating with Peoplesoft might contain some garbled characters in the sample code. This problem will be fixed in the next release of the documentation. In the meantime, the PDF version of this document displays the sample code correctly.

37

Table 10 (Cont.) Known Issues in Oracle Access Manager 10g (10.1.4.3) Bug N/A Description In the chapter on integrating with PeopleSoft in the Oracle Access Manager Integration Guide, in step 7 of the procedure titled, "To set up Oracle Access Manager for the PeopleSoft integration", the screen shot shows the PS_SSO_ UID with a Return Value of uid. However, uid is an attribute. Instead of Return Value, this screen shot should show the label Return Attribute. A new feature was introduced in Oracle COREid 7.0.4.2, that is not described in recent manuals. When using "Basic over LDAP" authentication, the browser returns the cached credential following a timeout. A new challenge parameter "realmunique:yes" enables a basic authentication mode that causes realm parameters sent by WebGate to be unique (by appending a date/time string to the realm string). As a result, the browser never encounters the same realm twice, thus never sends cached credentials to WebGate. 6596842 In previous releases, the start page for the Policy Manager was the My Policy Domains page. If there were many policies on this page, it would take a long time to appear. In this release, the start page for the Policy Manager is now a search page instead of the My Policy Domains page. A future release of the Oracle Access Manager Access Administration Guide should note this change. 6160534 The help topic on defining organization workflows refers to the COREid Access and Identity Administration Guide. The correct document name is Oracle Access Manager Identity and Common Administration Guide Certain manuals reference the release note document with an incorrect file name: Incorrect: oam_10143_readme_doc.pdf Correct: The release note document is named oamrn.htm (and oamrn.pdf). N/A Certain references to the Oracle Access Manager Configuration Tool are incorrectly stated in the Oracle Fusion Middleware Security Guide. Correct: The ZIP file oamcfgtool_<version>.zip (for example, oamcfgtool_10_1_4_3_ 0.zip) is available as OAM Configuration Tool with Access Manager Core Components (10.1.4.3.0). You can extract oamcfgtool.jar to setup and validate a form-based authentication scheme, a policy domain for the application, and Oracle Access Manager access policies required for Identity Assertion for single sign-on. This file is available in the Oracle Web Tier. However, if you configure SSO with a stand alone Oracle WebLogic Server, you can locate it on Oracle Technology Network (OTN).
1.

4447307

N/A

No Fusion Middleware Application: Obtain OAMCfgTool, as follows. a.

Log in to Oracle Technology Network at:


http://www.oracle.com/technology/software/products/middlew are/htdocs/111110_fmw.html

b. c.

Locate the OAM Configuration Tool with Access Manager Core Components (10.1.4.3.0). Extract and copy oamcfgtool.jar to the computer hosting WebGate.

38

Table 10 (Cont.) Known Issues in Oracle Access Manager 10g (10.1.4.3) Bug N/A Description Certain references to the Oracle Access Manager Identity Assertion Provider are incorrectly stated in the Oracle Fusion Middleware Security Guide. Correct: The ZIP file oamAuthnProvider<version>..zip (for example, oamAuthnProvider_10_1_4_3_0.zip) is available as OAM Identity Assertion Provider with Access Manager WebGates (10.1.4.3.0). You can extract oamAuthnProvider.jar before you configure providers in the WebLogic security domain to perform single sign-on with the Oracle Access Manager Identity Asserter. This file is available in the Oracle Web Tier. However, if you configure SSO with a stand alone Oracle WebLogic Server, you can locate it on Oracle Technology Network (OTN).
1.

No Fusion Middleware Application: Obtain the Oracle Access Manager provider. a.

Log in to Oracle Technology Network at:


http://www.oracle.com/technology/software/products /middleware/htdocs/111110_fmw.html

b.

Locate the Identity Assertion Provider with Access Manager WebGates (10.1.4.3.0):
oamAuthnProvider<version>..zip

c.

Extract and copy oamAuthnProvider.jar to the following path on the computer hosting Oracle WebLogic Server:
BEA_HOME/wlserver_10.x/server/lib/mbeantypes/ oamAuthnProvider.jar

N/A

In the Oracle Access Manager Access Administration Guide, the section "Configuring User-Defined AccessGate Parameters" incorrectly states: Correct: The reference to "... contact Oracle for a patch for the WebGate" is not relevant for 10g (10.1.4.3) and can be ignored.

39

Table 10 (Cont.) Known Issues in Oracle Access Manager 10g (10.1.4.3) Bug N/A Description A new parameter, EnableTraceback, has been added to the Identity Server and Policy Manager globalparams.xml files following release of the Oracle Access Manager Customization Guide. The following information is missing from the manual: In Oracle Access Manager 10g (10.1.4.3), Traceback reporting in the Bug Report Form and Stylesheet Error Report Form is disabled by default. These pages display only the message "Traceback is unavailable." in the Traceback field. However, oblogs reflect the entire Traceback. Note: Oracle recommends that traceback functionality remains disabled. This should be enabled only if there is a problem that is causing Bug Report Form and Stylesheet Error Report Form events, where additional information is needed to determine the cause of the issue. To enable Traceback display on Bug Report Form and Stylesheet Error Report Form
1.

Locate the Identity Server globalparams.xml file in the following path: IdentityServer_install_dir\identity\oblix\apps\common\bin\ globalparams.xml

2.

Add the EnableTraceback parameter with the value set to true, and save the file. <SimpleList> <NameValPair ParamName="EnableTraceback" Value="true"></NameValPair> </SimpleList>

3. 4. 5.

Restart the Identity Server. Repeat steps 1 through 3 for each Identity Server in your deployment. Locate the Policy Manager globalparams.xml file in the following path: PolicyMsanager_install_dir\access\oblix\apps\common\bin\ globalparams.xml

6.

Add the EnableTraceback parameter with the value set to true, and save the file. <SimpleList> <NameValPair ParamName="EnableTraceback" Value="true"></NameValPair> </SimpleList>

7. 8.

Restart the Policy Manager Web server. Repeat steps 5 through 7 for each Policy Manager in your deployment.

Required Configuration for Bug 8443139 Oracle recommends the following settings in an Apache-based Reverse Proxy environment to preserve host details: Preserve Host Details: In the Validate_password plug-in for the authentication scheme used in the policy domain that protects resources, include the ObWebPassURLPrefix parameter and settings for your own Reverse Proxy URL. For example:

40

Validate_password: ObWebPassURLPrefix=http://ps5678.yourco.co.uk:8999

Apache v2: Set the ProxyPreseveHost parameter to ON. This parameter is supported only by Apache v2 Web Servers. Sample Scenarios and Settings
1.

Reverse Proxy for Basic Authentication: Make an entry of the resource hosted on the resource WebGate.
ProxyPass /test.html http://ps1234.yourco.co.uk:7676/test.html

2.

Reverse Proxy for Form Authentication: Make an entry of the resource hosted on the resource WebGate.
a.

Make an entry of the resource hosted on the resource WebGate. For example:
ProxyPass /test.html http://ps1234.yourco.co.uk:7676/test.html

b.

Make an entry of the login form hosted on the resource WebGate. For example:
ProxyPass /login.html http://ps1234.yourco.co.uk:7676/login.html

c.

Make an entry of the action parameter configured in the login form and the authentication scheme. For example:
ProxyPass /access/dummy http://ps1234.yourco.co.uk:7676/access/dummy

3.

Reverse Proxy for Basic Authentication with Challenge Redirect: Make an entry of the resource hosted on the resource WebGate.
a. b.

Perform Steps a through c of the previous example (item 2 in this list). Make an entry for obrar.cgi hosted on the resource WebGate. For example:
ProxyPass /obrar.cgi http://ps1234.yourco.co.uk:7676/obrar.cgi

4.

Reverse Proxy for Form Authentication with Challenge Redirect: Make an entry of the resource hosted on the resource WebGate.
a. b.

Perform Steps a through d of the previous example (item 3 in this list). Make an entry for obrareq.cgi hosted on the resource WebGate. For example:
ProxyPass /obrareq.cgi http://ps1234.yourco.co.uk:7676/obrareq.cgi

c.

Make an entry for Reverse Proxy URL details in the Challenge Redirect field of the authentication scheme. For example:
Challenge Redirect http://ps5678.yourco.co.uk:8999

Guidelines for Bug 8437838 Multiple password policies can be defined at the same domain-level with different Filter fields. These policies are considered grouped together at their shared domain level and are evaluated in an arbitrary order. The first of these filtered policies to match the user is selected for the user's password policy. When using such policy definitions there are two guidelines that help avoid unexpected policy results:

41

Guidelines
1.

Avoid filters that match overlapping sets of users. For example: Policy 1 is defined with Domain: ou=accounting, o=company, c=us and Filter:(cn="John*") Policy 2 is defined with Domain: ou=accounting, o=company, c=us and Filter:(cn="*Doe") In this example, a user with cn="John Doe", both of the policy domains would match and it could not be reliably predicted which would be chosen by Oracle Access Manager.

2.

Avoid mixing policies that have filters with policies that do not have filters in the same domain-level. For example: Policy 1 is defined with Domain: ou=accounting, o=company, c=us and Filter:(cn="John*") Policy 2 is defined with Domain: ou=accounting, o=company, c=us with no filter. In this example, Policy 2 might be evaluated before Policy 1 and Policy 2 might be chosen as the password policy for a user with cn="John Doe". Alternative: Create default policies at a higher domain-level with a filter that matches the lower domain level. For example: Policy 2 redefined as Domain: ou=company, c=us and Filter:ou=accounting Using this alternative, Policy 1 is definitely evaluated before Policy 2. Policy 1 is enforced for user cn="John Doe,ou=accounting, o=company, c=us. Policy 2 is enforced for user cn=Jane Doe,ou=accounting, o=company, c=us, and for user cn=John Doe, ou=legal, o=company, c=us.

10 Components Included with this Bundle Patch


Table 11 lists the components that are provided with this bundle patch: CR level included in this bundle patch=None. This bundle patch is released against initial full-installer WebGate packages. Compatible OAM Servers: 10.1.4.3-BP02
Note:

To remain in an Oracle-supported state, Oracle recommends that you apply the bundle patch to all installed components for which packages are provided.

42

Table 11 Platform

Components in this Bundle Patch Components


Windows 32-bit

Identity Server Access Server WebPass for ISAPI/IIS v6 and OHS11g 32-bit Policy Manager for ISAPI/IIS v6 and OHS11g 32-bit WebGate for ISAPI/IIS v6 and OHS11g 32-bit WebGate for IIS WebGate for OHS 11g 64-bit Identity Server Access Server WebPass, Policy Manager, and WebGate packages for:

Windows 2008 64-bit Linux 32-bit

Oracle HTTP Server 11g (OHS11g) 32-bit Apache 2.2 (Apache22) 32-bit

Linux 64-bit Solaris 32-bit

WebGate for OHS11g 64-bit Identity Server Access Server Web components for Sun One 32-bit:

WebPass Policy Manager WebGate Apache 2.0 (Apache2) 32-bit Apache 2.2 (Apache22) 32-bit

Additional WebGates:

Solaris 64-bit

WebGate for OHS11g 64-bit

Oracle Access Manager Bundle Patch Notes, Bundle Patch 04, for 10g (10.1.4.3.0) for Linux, Microsoft Windows, and Solaris Operating Systems Copyright 2000, 2010 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065. This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

43

44

You might also like