A Troubleshooting the Oracle Access Manager Upgrade
If you encounter errors during or after the upgrade of Oracle Access Manager to 14c (14.1.2.1.0), review the following troubleshooting procedures.
- Troubleshooting OAM During the Upgrade
This section describes the troubleshooting procedures for issues that you may encounter during the OAM upgrade process. - Activation State is set as FAILED when Restarting the Admin Server
After you upgrade the domain component configurations and start the Admin server, the activation state is set asFAILED
. - AMInitServlet Fails to Preload when Restarting OAM Managed Server
After you upgrade the domain component configurations and start the OAM managed server,AMInitServlet
fails to preload. - File Not Found Exception when Starting the OAM Managed Server
After you upgrade the domain component configurations and start the server aFile Not Found
exception is displayed. - Error When Starting SSL Enabled OAM Managed Server After Upgrade
If SSL is enabled for Oracle Access Manager Managed Servers, the SSL port for the Administration Server must be changed manually before starting the servers. - OAM Upgrade Fails With InvalidKeyException
Oracle Access Manager upgrade fails with InvalidKeyException if Java JSE Policy is not upgraded. - OWSM Error Messages in the Reconfiguration Logs
During the Oracle Access Management (OAM) upgrade, when you reconfigure the OAM domain, Oracle Web Services Manager (OWSM) error messages are seen in the reconfig logs.
Troubleshooting OAM During the Upgrade
This section describes the troubleshooting procedures for issues that you may encounter during the OAM upgrade process.
- Troubleshooting Security Policy Issues When Upgrading
OAM 14c (14.1.2.1.0) has an improved security posture and leverages the capabilities added in the underlying infrastructure. OAM 14c (14.1.2.1.0) is certified with JDK jdk17.0.12, and based on thejdk17.0.12 update used, its behavior may vary. - Load Balancer Value Changes During the Upgrade
During the upgrade, the load balancer value changes from its original machine details and displays different values.
Parent topic: Troubleshooting the Oracle Access Manager Upgrade
Troubleshooting Security Policy Issues When Upgrading
OAM 14c (14.1.2.1.0) has an improved security posture and leverages the capabilities added in the underlying infrastructure. OAM 14c (14.1.2.1.0) is certified with JDK jdk17.0.12, and based on thejdk17.0.12 update used, its behavior may vary.
For specific JDK jdk17.0.12 updates and their corresponding Java policies, see Java Release Notes.
Note:
Ensure that the OAM 12c (12.2.1.4.0) environment is operational/functional before you initiate the upgrade process.Modifying the Java Security Posture
OAM Server 14c (14.1.2.1.0) supports TLS1.2 and SHA-2. For compatibility with older products (including Webgate, OIM, and OAAM), relax the OAM security posture by making the following changes to the java.security policy:
-
Remove TLSv1, TLSv1.1, MD5withRSA from the following key:
key - jdk.tls.disabledAlgorithms
-
Remove MD5 from the following key:
key - jdk.certpath.disabledAlgorithms
Parent topic: Troubleshooting Security Policy Issues When Upgrading
Load Balancer Value Changes During the Upgrade
During the upgrade, the load balancer value changes from its original machine details and displays different values.
The values are as follows:
- Host name = oam-host
- Port= 8002
To resolve this issue, manually change the host name and port number to the original value.
Parent topic: Troubleshooting OAM During the Upgrade
Activation State is set as FAILED
when Restarting the Admin Server
After you upgrade the domain component configurations and start the Admin server, the activation state is set as FAILED
.
Caused By: oracle.security.am.install.AMInstallException: Invalid Simple
Mode Artifacts at
oracle.security.am.install.startup.AMKeyStoreValidator.execute(AMKeyStoreValid
ator.java:70)at
oracle.security.am.install.startup.OamInstallTopologyConfigListener.doMandator
yValidations(OamInstallTopologyConfigListener.java:114)
- In the 14c environment, open to the
oam-config.xml
file. - Replace the value of
sslGlobalPassphrase
with the value that you copied from the 12c environment.
For more information about how to import or export oam-config.xml
from database, see Doc ID 2310234.1.
Parent topic: Troubleshooting the Oracle Access Manager Upgrade
AMInitServlet
Fails to Preload when Restarting OAM Managed Server
After you upgrade the domain component configurations and start the OAM managed server, AMInitServlet
fails to preload.
Caused By: oracle.security.am.common.utilities.exception.AmRuntimeException:
Fail to decrypt oamkeystore data with cipher key from OAM config
(/DeployedComponent/Server/NGAMServer/Profile/ssoengine/CipherKey)
at oracle.security.am.engines.sso.adapter.OAMSessionConfiguration$Config
Listener.configurationChanged(OAMSessionConfiguration.java:295)
- In the 14c environment, open to the
oam-config.xml
file. - Replace the value of
cipherKey
with the value that you copied from the 12c environment.
For more information about how to import or export oam-config.xml
from database, see Doc ID 2310234.1.
Parent topic: Troubleshooting the Oracle Access Manager Upgrade
File Not Found Exception when Starting the OAM Managed Server
After you upgrade the domain component configurations and start the server a File Not Found
exception is displayed.
File Not Found
exception:[2019-09-04T05:52:24.349+00:00] [wls_oam1] [WARNING] [J2EE JMX-46714]
[oracle.as.jmx.framework.wls.spi.ComponentMBeans] [tid:
[ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: <WLS Kernel>] [ecid:
ab946520-e9e8-498c-89f6-5e9e0f055f40-00000007,0] [partition-name: DOMAIN]
[tenant-name: GLOBAL] Error parsing MBean descriptor file
"fmwconfig/mbeans/oamconfig_mbeans.xml".[[
java.io.FileNotFoundException: The Config MBean jar file
"C:\Oracle\Middleware_IAM\user_projects\domains\oam_domain\config\fmwconfig\mb
eans\${OAM_ORACLE_HOME}\server\lib\jmx\configmgmt.jar" does not exist.
[2019-09-04T05:52:26.693+00:00] [wls_oam1] [WARNING] [J2EE JMX-46714]
[oracle.as.jmx.framework.wls.spi.ComponentMBeans] [tid:
[ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: <WLS Kernel>] [ecid:
ab946520-e9e8-498c-89f6-5e9e0f055f40-00000007,0] [partition-name: DOMAIN]
[tenant-name: GLOBAL] Error parsing MBean descriptor file
"fmwconfig/mbeans/t2p_mbeans.xml".[[
java.io.FileNotFoundException: The Config MBean jar file
"C:\Oracle\Middleware_IAM\user_projects\domains\oam_domain\config\fmwconfig\mb
eans\${OAM_ORACLE_HOME}\server\lib\jmx\was-t2p.jar" does not exist.
Parent topic: Troubleshooting the Oracle Access Manager Upgrade
WADL Generation Does not Show Description
Issue
java.lang.IllegalStateException: ServiceLocatorImpl
is returned. Exception thrown when provider
class org.glassfish.jersey.server.internal.monitoring.MonitoringFeature$StatisticsListener
was processing MonitoringStatistics. Removing provider from further processing.
java.lang.IllegalStateException: ServiceLocatorImpl(__HK2_Generated_6,9,221656053) has been shut down
at org.jvnet.hk2.internal.ServiceLocatorImpl.checkState(ServiceLocatorImpl.java:2393)
http://<Host>:<AdminServerPort>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/application.wadl
http://<Host>:<ManagedServerPort>/iam/access/api/v1/health/application.wadl
Resolution
Restart the Admin server and managed servers to resolve the wadl issue.
Error When Starting SSL Enabled OAM Managed Server After Upgrade
If SSL is enabled for Oracle Access Manager Managed Servers, the SSL port for the Administration Server must be changed manually before starting the servers.
<Error> <Server> <idmr2ps3> <AdminServer> <[ACTIVE] ExecuteThread: '11'
for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
<303f1768-cdd2-4e0c-9b1e-564a32e22aa1-00000056> <1494577396454> <[severity-value: 8]
[rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-002606> <The server is unable to
create a server socket for listening on channel "DefaultSecure[iiops]". The address x.x.x.x
might be incorrect or another process is using port 7503: java.net.BindException: Address already in use>
The following exception is seen in the Administration Server log file: <Error> <Server> <idmr2ps3> <AdminServer> <DynamicJSSEListenThread[DefaultSecure]>
<<WLS Kernel>> <> <1880691887b793b2:4b6e5462:15ba94a4abd:-8000-0000000000000015> <1493194022003>
<BEA-002606> <Unable to create a server socket for listening on channel "DefaultSecure".
The address x.x.x.x might be incorrect or another process is using port 7503: java.net.BindException: Address already in use.>
To resolve this issue, do the following:- Change the SSL port of the Administration Server from
7503
to another free port, for example,7505
, on the WebLogic Administration Console. - Edit the startManagedWebLogic.sh file located at DOMAIN_HOME/bin/ to change the port from
7503
to7505
.
Parent topic: Troubleshooting the Oracle Access Manager Upgrade
OAM Upgrade Fails With InvalidKeyException
Oracle Access Manager upgrade fails with InvalidKeyException if Java JSE Policy is not upgraded.
oracle.security.jps.JpsException:
oracle.security.jps.service.keystore.KeyStoreServiceException:
Failed to perform cryptographic operation
Caused by: java.security.InvalidKeyException: Illegal key size
Parent topic: Troubleshooting the Oracle Access Manager Upgrade
OWSM Error Messages in the Reconfiguration Logs
During the Oracle Access Management (OAM) upgrade, when you reconfigure the OAM domain, Oracle Web Services Manager (OWSM) error messages are seen in the reconfig logs.
2017-07-23 10:49:11,791 SEVERE [18]
oracle.wsm.common.logging.WsmMessageLogger - Following validation errors were
encountered while validating document
"/assertiontemplates/oracle/http_pkinit_over_ssl_template" :
2017-07-23 10:49:11,868 SEVERE [18]
oracle.wsm.common.logging.WsmMessageLogger - Following validation errors were
encountered while validating document
"/assertiontemplates/oracle/http_kinit_over_ssl_template" :
2017-07-23 10:49:35,462 SEVERE [18]
oracle.wsm.common.logging.WsmMessageLogger - Following validation errors were
encountered while validating document
"/policies/oracle/multi_token_over_ssl_client_policy" :
2017-07-23 10:49:35,562 SEVERE [18]
oracle.wsm.common.logging.WsmMessageLogger - Following validation errors were
encountered while validating document
"/policies/oracle/multi_token_client_policy" :
The errors are caused because of the corrupted custom documents which need to be either removed or fixed before upgrade.
This does not impact the functionality of OWSM functionality, and hence can be ignored.
Parent topic: Troubleshooting the Oracle Access Manager Upgrade