A Troubleshooting the Oracle Access Manager Upgrade

If you encounter errors during or after the upgrade of Oracle Access Manager to 14c (14.1.2.1.0), review the following troubleshooting procedures.

Troubleshooting OAM During the Upgrade

This section describes the troubleshooting procedures for issues that you may encounter during the OAM upgrade process.

Troubleshooting Security Policy Issues When Upgrading

OAM 14c (14.1.2.1.0) has an improved security posture and leverages the capabilities added in the underlying infrastructure. OAM 14c (14.1.2.1.0) is certified with JDK jdk17.0.12, and based on thejdk17.0.12 update used, its behavior may vary.

For specific JDK jdk17.0.12 updates and their corresponding Java policies, see Java Release Notes.

Note:

Ensure that the OAM 12c (12.2.1.4.0) environment is operational/functional before you initiate the upgrade process.
Modifying the Java Security Posture

OAM Server 14c (14.1.2.1.0) supports TLS1.2 and SHA-2. For compatibility with older products (including Webgate, OIM, and OAAM), relax the OAM security posture by making the following changes to the java.security policy:

  1. Remove TLSv1, TLSv1.1, MD5withRSA from the following key:
    key - jdk.tls.disabledAlgorithms
    
  2. Remove MD5 from the following key:

    key - jdk.certpath.disabledAlgorithms
    

Load Balancer Value Changes During the Upgrade

During the upgrade, the load balancer value changes from its original machine details and displays different values.

The values are as follows:

  • Host name = oam-host
  • Port= 8002

To resolve this issue, manually change the host name and port number to the original value.

Activation State is set as FAILED when Restarting the Admin Server

After you upgrade the domain component configurations and start the Admin server, the activation state is set as FAILED.

Caused By: oracle.security.am.install.AMInstallException: Invalid Simple
Mode Artifacts at
oracle.security.am.install.startup.AMKeyStoreValidator.execute(AMKeyStoreValid
ator.java:70)at
oracle.security.am.install.startup.OamInstallTopologyConfigListener.doMandator
yValidations(OamInstallTopologyConfigListener.java:114)
To solve the error, complete the following steps:
  1. In the 14c environment, open to the oam-config.xml file.
  2. Replace the value of sslGlobalPassphrase with the value that you copied from the 12c environment.

For more information about how to import or export oam-config.xml from database, see Doc ID 2310234.1.

AMInitServlet Fails to Preload when Restarting OAM Managed Server

After you upgrade the domain component configurations and start the OAM managed server, AMInitServlet fails to preload.

The following error message is displayed:
Caused By: oracle.security.am.common.utilities.exception.AmRuntimeException:
Fail to decrypt oamkeystore data with cipher key from OAM config
(/DeployedComponent/Server/NGAMServer/Profile/ssoengine/CipherKey)
at oracle.security.am.engines.sso.adapter.OAMSessionConfiguration$Config
Listener.configurationChanged(OAMSessionConfiguration.java:295)
To solve the error, complete the following steps:
  1. In the 14c environment, open to the oam-config.xml file.
  2. Replace the value of cipherKey with the value that you copied from the 12c environment.

For more information about how to import or export oam-config.xml from database, see Doc ID 2310234.1.

File Not Found Exception when Starting the OAM Managed Server

After you upgrade the domain component configurations and start the server a File Not Found exception is displayed.

This is a known issue. Ignore the following File Not Found exception:
[2019-09-04T05:52:24.349+00:00] [wls_oam1] [WARNING] [J2EE JMX-46714]
[oracle.as.jmx.framework.wls.spi.ComponentMBeans] [tid:
[ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: <WLS Kernel>] [ecid:
ab946520-e9e8-498c-89f6-5e9e0f055f40-00000007,0] [partition-name: DOMAIN]
[tenant-name: GLOBAL] Error parsing MBean descriptor file
"fmwconfig/mbeans/oamconfig_mbeans.xml".[[
java.io.FileNotFoundException: The Config MBean jar file
"C:\Oracle\Middleware_IAM\user_projects\domains\oam_domain\config\fmwconfig\mb
eans\${OAM_ORACLE_HOME}\server\lib\jmx\configmgmt.jar" does not exist.

[2019-09-04T05:52:26.693+00:00] [wls_oam1] [WARNING] [J2EE JMX-46714]
[oracle.as.jmx.framework.wls.spi.ComponentMBeans] [tid:
[ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: <WLS Kernel>] [ecid:
ab946520-e9e8-498c-89f6-5e9e0f055f40-00000007,0] [partition-name: DOMAIN]
[tenant-name: GLOBAL] Error parsing MBean descriptor file
"fmwconfig/mbeans/t2p_mbeans.xml".[[
java.io.FileNotFoundException: The Config MBean jar file
"C:\Oracle\Middleware_IAM\user_projects\domains\oam_domain\config\fmwconfig\mb
eans\${OAM_ORACLE_HOME}\server\lib\jmx\was-t2p.jar" does not exist.

WADL Generation Does not Show Description

Issue

WADL generation fails and a java.lang.IllegalStateException: ServiceLocatorImpl is returned.
Exception thrown when provider 
class org.glassfish.jersey.server.internal.monitoring.MonitoringFeature$StatisticsListener 
was processing MonitoringStatistics. Removing provider from further processing.
java.lang.IllegalStateException: ServiceLocatorImpl(__HK2_Generated_6,9,221656053) has been shut down 
at org.jvnet.hk2.internal.ServiceLocatorImpl.checkState(ServiceLocatorImpl.java:2393)
Also, when the WADL generation fails, the description field shows Root Resource, instead of a proper description in the following URLs.

http://<Host>:<AdminServerPort>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/application.wadl
http://<Host>:<ManagedServerPort>/iam/access/api/v1/health/application.wadl

Resolution

Restart the Admin server and managed servers to resolve the wadl issue.

Error When Starting SSL Enabled OAM Managed Server After Upgrade

If SSL is enabled for Oracle Access Manager Managed Servers, the SSL port for the Administration Server must be changed manually before starting the servers.

This issue occurs when you upgrade Oracle Identity Manager (OIM) and Oracle Access Manager (OAM) integrated environments. If the SSL port is not updated for the SSL enabled Oracle Access Manager Managed Server, the following exception is displayed when you start the Managed Server:
<Error> <Server>  <idmr2ps3> <AdminServer> <[ACTIVE] ExecuteThread: '11' 
for  queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>  
<303f1768-cdd2-4e0c-9b1e-564a32e22aa1-00000056> <1494577396454>  <[severity-value: 8] 
[rid: 0] [partition-id: 0] [partition-name: DOMAIN] >  <BEA-002606> <The server is unable to 
create a server socket for listening on  channel "DefaultSecure[iiops]". The address x.x.x.x 
might be incorrect  or another process is using port 7503: java.net.BindException: Address  already in use>  
The following exception is seen in the Administration Server log file:
<Error> <Server> <idmr2ps3>  <AdminServer> <DynamicJSSEListenThread[DefaultSecure]> 
<<WLS Kernel>> <>  <1880691887b793b2:4b6e5462:15ba94a4abd:-8000-0000000000000015>  <1493194022003> 
<BEA-002606> <Unable to create a server socket for listening  on channel "DefaultSecure". 
The address x.x.x.x might be incorrect or  another process is using port 7503: java.net.BindException: Address already  in use.> 
To resolve this issue, do the following:
  1. Change the SSL port of the Administration Server from 7503 to another free port, for example, 7505, on the WebLogic Administration Console.
  2. Edit the startManagedWebLogic.sh file located at DOMAIN_HOME/bin/ to change the port from 7503 to 7505.
In an OIM and OAM integrated environment, you must use different SSL ports for OIM Administration Server and OAM Administration Server.

OAM Upgrade Fails With InvalidKeyException

Oracle Access Manager upgrade fails with InvalidKeyException if Java JSE Policy is not upgraded.

The following exception is displayed:
oracle.security.jps.JpsException: 
oracle.security.jps.service.keystore.KeyStoreServiceException: 
Failed to perform cryptographic operation
Caused by: java.security.InvalidKeyException: Illegal key size

OWSM Error Messages in the Reconfiguration Logs

During the Oracle Access Management (OAM) upgrade, when you reconfigure the OAM domain, Oracle Web Services Manager (OWSM) error messages are seen in the reconfig logs.

The following error messages are seen in the reconfig logs:
2017-07-23 10:49:11,791 SEVERE [18] 
oracle.wsm.common.logging.WsmMessageLogger - Following validation errors were 
encountered while validating document 
"/assertiontemplates/oracle/http_pkinit_over_ssl_template" : 
2017-07-23 10:49:11,868 SEVERE [18] 
oracle.wsm.common.logging.WsmMessageLogger - Following validation errors were 
encountered while validating document 
"/assertiontemplates/oracle/http_kinit_over_ssl_template" : 
2017-07-23 10:49:35,462 SEVERE [18] 
oracle.wsm.common.logging.WsmMessageLogger - Following validation errors were 
encountered while validating document 
"/policies/oracle/multi_token_over_ssl_client_policy" : 
2017-07-23 10:49:35,562 SEVERE [18] 
oracle.wsm.common.logging.WsmMessageLogger - Following validation errors were 
encountered while validating document 
"/policies/oracle/multi_token_client_policy" :

The errors are caused because of the corrupted custom documents which need to be either removed or fixed before upgrade.

This does not impact the functionality of OWSM functionality, and hence can be ignored.