Thank you for your feedback!This chapter describes issues associated with Oracle Adaptive Access Manager. It includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
This section describes general user interface issues.
This section describes issues with policy, rule, and group features.
An error message is not displayed when you try to create a group with an existing group name. The group with the duplicate name is not created, but you will not see an error message.
The Add button in the Add Members dialog box becomes disabled for the following scenario:
Open an existing group.
In the Members tab, click the Add button.
The Add Members dialog box appears and the Search Results table is empty.
In the Add Members dialog box, choose the option to search and select from the existing elements.
A list of elements appear in the Search Results table.
From Search Results table, select the first element and then click the Add button.
To delete the member you just added, select the member in the Members tab and then click Delete.
When the list of elements appears in the Search Results table, the element you deleted previously is already selected and the Add button is disabled.
To enable the Add button, you will have to select another element and then go back and select the original element.
If only one element exists to choose from, you will not be able to enable the Add button and add that element to the group.
As a workaround, if there is only one element to choose from:
Select the Create New option in the Add Members dialog box. The Search Results table disappears.
Now, choose the option to search and select. When the Search Results table reappears, the Add button is enabled. You will be able to select the element and Add it to the group.
As a workaround, if there are more than one element to choose from, click another element and then go back to the original and then add it.
If you set the status of an attribute to Deleted in a pattern, the attribute will not appear in the user interface and you will not be able to reuse it.
If you do not want to use the attribute, set the status to Inactive instead of Deleted.
This section describes a Knowledge-Based Authentication feature issue.
This section describes a Transaction issue.
For the Transaction Definition, in the Transaction tab, if you try to delete a row, but click Cancel in the Delete Row confirmation dialog in the Source or Data tabs, you will not be able to delete that row again.
The warning message, "No Data Elements are selected for delete," is shown even if you select the row.
This section describes issues dealing with import, export, and snapshots.
If you type in an incorrect file path for any import file dialog box in Internet Explorer 7 (IE7), the import file dialog box becomes unusable and you cannot close it.
As a workaround, log out of the application and log back in.
When you are restoring a snapshot from a file, a validation check is run when you click Continue. You are then asked to enter a name and notes even if you do not want to take a current snapshot.
As a workaround, you should select Back Up Current System, enter your name and notes, deselect Back Up Current System, and click Continue to bypass the validation check.
This section describes issues pertaining to audit, log, and performance.
The execution and processing labels used in Oracle Enterprise Manager are different from the ones used in the Oracle Adaptive Access Manager Dashboard.
The mappings are as follows:
| Report | Fusion Middleware Control | Oracle Adaptive Access Manager Dashboard |
|---|---|---|
| Policy Execution Summary | Average Execution Time | Average Policy Process Time |
| Rules Execution Summary | Average Execution Time | Average Rule Process time |
| Rules Processing Summary | Average Execution Time | RulesAPI.processRules |
The Add, Update, Delete Overrides audit events use the deprecated term "Override" instead of "Trigger Combination." The audit events are also not captured in the audit.log.
The response time is slow for Select All and Bulk actions in tables. This occurs mainly for KBA and group elements.
For example, response time is slow for activating all KBA questions or deleting all group members.
The Update Rule Param Value audit event is triggered:
Whenever a condition is selected and the condition details are displayed. The rule condition value in the rule has not changed.
When a user make changes to rules (for example, rule name)
When you make a change to the rule and click the Apply button, the Update Rule Param Value audit event is triggered. Even though there had been only one modification, the following three audit events are also triggered:
UpdateRuleInPolicy
UpdateRulesOrderInPolicy
UpdateRuleParamValuesInPolicy
The extra events are triggered because Apply and Revert are global actions; therefore the entire state is saved. On the other hand, Save and Cancel are detail level actions.
Certain error and warning messages appear in log files even when there are no issues with the user interface. Table 32-1 lists error/warnings that can be ignored.
'....' indicates additional contextual text
Table 32-1 Oracle Adaptive Access Manager Messages to Ignore
| # |
Error Message | Description / Comments |
|---|---|---|
|
1 |
Couldn't load properties file bharosauio_client.properties |
This message may occur during server startup when an attempt is made to load the file. The file is not a requirement; therefore this message can be ignored. |
|
2 |
The DocumentChange is not configured to be allowed for the component: ..... |
This message is from the ADF Filtered Change Persistence Manager. It can be ignored. |
|
3 |
shadow[some text]: No shadow row found for .... |
The message is generated when a history row is not found in the database for some server artifacts, when the row is inserted for the first time for that artifact. Since the history rows are rebuilt if they are not found, this message can be ignored. |
|
4 |
Element for value= -1 not found for enum .... |
This message is generated when the default value of the enumeration is used to convey an unused or unselected item from the enumerated lists in the server or user interface. Since the (-1) is interpreted as an unused value, this message can be ignored. |
|
5 |
Could not find selected item matching value "0" in RichSelectOneChoice .... |
The message is generated from the user interface classes when attempts are made to match selected values with choices. In some cases, the selected value of 0 may not have attached a choice and that is when this message is generated. This message can be ignored. |
|
6 |
DocumentChange will not be persisted because the target component of DocumentChange is a stamped component or is in the subtree of a stamped component. Target component reference.... |
The message is informational and from the ADF MDS Filtered Change Persistence Manager. It can be ignored. |
|
7 |
Error instantiating class - oracle.adfdtinternal.view.faces.portlet.PortletDefinitionDTFactory |
The message is generated by the user interface code when attempts are made to upload portlets. Since the Oracle Adaptive Access Manager implementation does not use this class, this message can be ignored. |
|
8 |
Could not find saved view state for token .... |
This message is from the ADF view layer and occurs if the user cut and pasted the OAAM Admin URL. |
|
9 |
ADFv: Unable to find matching JSP Document Node for: .... |
This message is from ADF view layer. |
This section describes globalization issues.
In any of the search panels, the timestamp criteria input field uses a fixed format rather than a format based per the locale.
As a workaround, use the date-picker to select the timestamp instead of manually entering it.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 32.2.3, "Oracle Adaptive Access Manager Servers Can Run on IPv6 Enabled Dual Stack Machines"
Section 32.2.2, "Unused Rule.Action.Enum Actions are Disabled Out of the Box."
When you install Oracle Adaptive Access Manager 11g, you must install the patches for bugs 9824531 and 9817469.
The patches are not optional but critical for running the OAAM Admin Console in the only supported deployment mode which is the high availability clustered environment.
To apply the patches:
Go to My Oracle Support at
Click the Patches & Updates tab, and search for bug 9824531.Download the associated patch and install it by following the instructions in the README file included with the patch.
On the Patches & Updates tab, search for bug 9817469. Download the associated patch and install it by following the instructions in the README file included with the patch.
The values for the Rule.Action.Enum Action fields like ChallengeSMSTextPad, ChallengeSMSPinPad, and others, are not specified for the From Action and To Action fields in the Policy Set.
The workaround is to set the value of these properties to true using the Properties Editor:
rule.action.enum.ChallengeSMSTextPad.enabled rule.action.enum.ChallengeSMSPinPad.enabled rule.action.enum.ChallengeEmailTextPad.enabled rule.action.enum.ChallengeEmailPinPad.enabled rule.action.enum.SmsChallenge.enabled rule.action.enum.EmailChallenge.enabled rule.action.enum.NextQuestion.enabled rule.action.enum.RegisterImageTextPad.enabled rule.action.enum.RegisterImagePinPad.enabled rule.action.enum.RegisterImageKeyPadFull.enabled rule.action.enum.RegisterImageKeyPadAlpha.enabled rule.action.enum.RegisterImageKeyPadAlphaTurk.enabled rule.action.enum.RegisterImageQuestionPad.enabled rule.action.enum.Token.enabled rule.action.enum.OTPChallengeEmail.enabled rule.action.enum.OTPChallengeSMS.enabled rule.action.enum.OTPRegister.enabled rule.action.enum.OTPBlock.enabled
The OAAM Servers function on IPv6 enabled dual stack servers with reduced functionality. End user IP addresses in IPv4 format are used in fraud policies and rules management. This may not be an issue as IPv4 format is used across networks and OAAM Server obtains IPv4 based IP address. When end user IP addresses are in IPv6 form, rules evaluating user, device, application data (transactions/events) and other contextual data will function as expected. However, location rules will evaluate against a private dummy IP (127.0.0.99) in place of the actual v6 form IP. The OAAM Admin console will display private dummy IP (127.0.0.99) in place of the actual v6 form IP. To support location-based rules a change in database schema and an application change to support Groups, Ranges, Listing and Details pages are required. In addition, IPv6 support from geolocation data vendors is needed for advanced location rules-based on geolocation, velocity, connection settings, and others.
This section describes documentation errata. It includes the following topic:
Section 32.3.1, "Documentation to Customize Abbreviation and Equivalences is Incorrect"
Section 32.3.2, "The Pattern Statuses are Incorrectly Documented in the Administrator's Guide"
Section 32.3.3, "Name and Location of Purging Scripts Package Not Provided in Documentation"
Section 32.3.4, "Corrections and Additions to Appendix F, Globalization Support"
The following sections on customizing abbreviations and equivalences are incorrect in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
6.9.2.1 Common Abbreviations
"The list can be customized by adding or updating properties file, client_resource_<locale>.properties, created by the administrator."
F.8 Adding to the Abbreviation File
"Add as many abbreviations and equivalences as you want to client_resource_<locale>.properties."
A revised section is provided in the Release Notes.
Customizing English Abbreviations and Equivalences
Answer Logic checks if the answer provided by the user matches closely to the ones provided during registration.
Answer Logic, in part, relies on pre-configured sets of word equivalents, commonly known as abbreviations.
Although there are several thousand English abbreviations and equivalences in the English version of Oracle Adaptive Access Manager, customers can perform customizations per their business requirements.
For example, the customer might want the following to be considered a match.
| Registered Answer | Given Answer |
|---|---|
| nineteen hundred ninety nine | 1999 |
The out of the box English abbreviations and equivalences are in a file named, bharosa_auth_abbreviation_config.properties. Changes cannot be made to this file.
To customize abbreviations, a new file must be created with a new set of abbreviations. This file takes precedence over the original file and all abbreviations in the original file are ignored.
To customize abbreviations:
Create a new abbreviation file, custom_auth_abbreviation_config.properties, and save it in the IDM_ORACLE_HOME/oaam/conf directory.
If the conf folder does not exist, create one.
Add abbreviations and equivalences to custom_auth_abbreviation_config.properties.
There are two different formats to use:
Word=equivalent1 Word=equivalent2
or
Word=equivalent1,equivalent2, equivalent3
For example, in English, some equivalence for James are:
Jim=James,\Jamie,\Jimmy
With the addition of the equivalences, if a user were to enter a response as Jim, but had originally entered James, Jim would be accepted.
Another example is that St may be equivalent to Street.
Note:
Retrieval of abbreviation values is not based on the browser language; values are retrieved from the properties files.Using the Properties Editor, change the property, bharosa.authenticator.AbbreviationFileName, to point to the complete path to custom_auth_abbreviation_config.properties.
The default value for the property bharosa.authenticator.AbbreviationFileName is bharosa_auth_abbreviation_config.properties.
Create the bharosa.authenticator.AbbreviationFileName property if it does not already exist.
Restarting the system is not necessary for the change to take effect.
For information on using the Properties Editor, refer to "Using the Properties Editor" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Configure the Answer Logic by following the instructions in "Configuring the Answer Logic" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
If you want to revert to the original out of the box abbreviations, set bharosa.authenticator.AbbreviationFileName back to bharosa_auth_abbreviation_config.properties.
Customizing Abbreviations and Equivalences for Locales
Translated files are shipped for different locales. These files are named bharosa_auth_abbreviation_config_<locale>.properties where <locale> is the locale string. For example, the Spanish version of the file is bharosa_auth_abbreviation_config_es.properties.
If you want to localize for one locale (for example, for Japanese only) you can create one file and set the value of property bharosa.authenticator.AbbreviationFileName to that file's absolute path.
If you want customize for multiple locales you need to perform the following steps:
Create the files specific to those locales with the same prefix.
For example,
/mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations_es.properties for Spanish
/mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations_ja.properties for Japanese
Set the property bharosa.authenticator.AbbreviationFileName to /mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations.properties.
Note that the locale prefix is absent in the value of the property.
Oracle Adaptive Access Manager uses the locale specific suffixes to the base file name and calculates the file name for that locale at runtime. You only have to specify the base name of the file, independent of locale, as the property value, and Oracle Adaptive Access Manager calculates the locale specific value automatically at runtime based on that property value.
The Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager states that there are three states for the pattern, but lists five in Table 14.1 and four in Section 14.9.5, "Changing the Status of the Pattern."
The statuses to choose from are:
Active
If data must be collected, the pattern must be in the Active state.
Inactive
If the pattern definition is complete, but you do not want to collect data, select Inactive.
Incomplete
If pattern creation has started, but you need to save it for completion later, select Incomplete. Data is not collected for this state.
Invalid
If there is a problem with the pattern, you can mark the pattern as Invalid to signal other operators. No autolearning data analysis will performed for a pattern in this state.
Deleted
The pattern has been deleted, but the system must keep this record to maintain data integrity. No autolearning data analysis will be performed for pattern in this state.
The name and location of the purging scripts package is not provided in Appendix G, "Setting Up Archive and Purge Procedures" of the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
The Oracle Adaptive Access Manager-related purging scripts are in the oaam_db_purging_scripts.zip file located under IDM_ORACLE_HOME/oaam/oaam_db_scripts.
Additions and corrections to Appendix F, "Globalization Support," in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager are listed in this section.
Section F.3, "Configuring Language Defaults for Oracle Adaptive Access Manager should include the following note:
Note:
The only locales supported are the ones listed in enums.Section F.7, "Adding Registration Questions,"Step 4, states that "By default, the Locale menu displays English and 26 other default locale languages." This is incorrect. It should say, "By default, the Locale menu displays English and 27 other default locale languages."
Section F.8, "Adding to the Abbreviation File" has been updated in the Release Notes. For updated information, refer to Section 32.3.1.
Sign In