This document describes the bug fixes that are included with Bundle Patch 12.2.1.4.240919.

The Bundle Patch requires a base installation of Oracle Access Management Webgate 12c (12.2.1.4.0). This document supersedes the documentation that accompanies Oracle Access Management 12c (12.2.1.4.0), and earlier documents if any. This document contains the following sections:

1.1 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.210816

Oracle Access Management 12.2.1.4.210816 BP includes the following new features and enhancements:

  • Two-way SSL for OAP over REST Communication.

    You can enable mutual authentication for OAP over REST between WebGate and OAM Server, therefore ensuring that the Server communicates with authentic clients.

    For details, see Enabling two-way SSL for OAP over REST.

1.2 Understanding the Webgate Bundle Patch

Describes Bundle Patches and explains differences between Bundle Patches, patch set exceptions (also known as one-offs), and patch sets.

Topics

1.2.1 WebGate Bundle Patch Introduction

A bundle patch is an official Oracle patch for Oracle Access Management components on baseline platforms. In a bundle patch release string, the fifth digit indicated the bundle patch number. Effective November 2015, the version numbering format has changed. The new format replaces the numeric fifth digit of the bundle version with a release date in the form "YYMMDD" where:

  • YY is the last 2 digits of the year

  • MM is the numeric month (2 digits)

  • DD is the numeric day of the month (2 digits)

Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes. All of the fixes in the bundle patch have been tested and are certified to work with one another.

Each bundle patch is cumulative: the latest bundle patch includes all fixes in earlier bundle patches for the same release and platform. Fixes delivered in bundle patches are rolled into the next release.

Bundle patches are released on a regular basis and are available on My Oracle Support (formerly Oracle MetaLink).

Note:

To remain in an Oracle-supported state, Oracle recommends that you apply the bundle patch to all installed components for which packages are provided.

Table 1-1 Bundle Patches versus Patch Sets

Mechanism Description

Bundle Patch

A bundle patch is an official Oracle patch mechanism for Access Manager components on baseline platforms. Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes.

This bundle patch must be applied to Access Manager 12.2.1.4.0 WebGates.

See Also: Before Installing this WebGate Bundle Patch

Patch Set

All of the fixes in the patch set have been tested and are certified to work with one another on the specified platforms.

Each patch set provides the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). However, a patch set might not be a complete software distribution and might not include packages for every component on every platform.

1.3 WebGate Bundle Patch Requirements

Requirements for this WebGate release are discussed in the following topics:

1.3.1 WebGate Bundle Patch 12.2.1.4.240919

Oracle Access Manager 12c Release (12.2.1.4.0) WebGates are the required base for WebGate Bundle Patch 12.2.1.4.240919

Note:

This patch is for customers moving to DB19c. Customers who do not want to migrate to DB19c must request one-off fixes for WebGate bugs.

See Also:

Certification Documentation for details about certification, installers, and downloads.

1.3.2 Bundle Patch Recommendations

Oracle recommends that you apply the WebGate bundle patch to all installed WebGates for which a bundle patch is provided.

Oracle also recommends that OAM Server components be at the same (or higher) bundle patch level as the installed 12c WebGate.

Note:

This bundle patch is for DB19c customers.
If you have ... Perform Following Steps...

12.2.1.4.0 Webgates

Apply the WebGate bundle patch:

1.4 Before Installing this WebGate Bundle Patch

Before installing this bundle patch, Oracle recommends that you review this section and follow these instructions carefully:
  1. Ensure that your system configuration is at the appropriate level:

    • Access Manager 12.2.1.4.0

    • Supported Operating System

    • Supported Web server release and type

  2. Confirm that any currently installed bundle patch level is lower than the one you intend to install.
  3. There is no need to remove an earlier bundle patch before installing a later one.
  4. Windows 64-bit OS: See Preparing 64-Bit Oracle HTTP Server 12c WebGates on Windows 64-Bit Platforms

    Note:

    If your system configuration does not meet support requirements, or if you are not certain that your system configuration meets these requirements, Oracle recommends that you log an Service Request to get assistance with this bundle patch. Oracle Support will make a determination about whether you should apply this bundle patch or not.
  5. Following pre-requisites are needed for Oracle HTTP Server(OHS) and Oracle Traffic Director(OTD) WebGates:
    1. Download DB Client Installer patch: 34761383 and install DB Client by following the instruction in the readme.txt of 34761383.
    2. Apply OSS Bundle Patch:37096063.
    3. Apply OHS Bundle Patch:37033394 or OTD Bundle Patch:34380114 according to middleware home.
    4. If you apply OHS Bundle Patch:37033394 for the HPUX operating system, you will also be required to apply the one-off patch 37204850.
    5. Apply DB Client patch 36615359 for all operating systems. If the operating system is AIX,then apply DB client one-off patch 34976606 also.
  6. Minimum OS version required for WebGate is OEL 7.

1.5 Installing and Removing the Webgate Bundle Patch

This section contains the following topics to guide you, as you prepare and install the WebGate files (or as you remove a WebGate, should you need to revert to your original installation):

1.5.1 Preparing All Environments and Downloading the Bundle Patch

This section introduces the Oracle patch mechanism (Opatch) and requirements that must be met before applying the bundle patch. Opatch is a Java-based utility that runs on all supported operating systems and requires installation of the Oracle Universal Installer.

Note:

Oracle recommends that you have the latest version of Opatch from My Oracle Support. Opatch requires access to a valid Oracle Universal Installer (OUI) Inventory to apply patches.

The patching process uses both unzip and Opatch executables. After sourcing the $ORACLE_HOME environment, Oracle recommends that you confirm that both of these exist before patching.

Perform steps in the following procedure to prepare your environment and download the bundle patch. Due to formatting constraints in this document, some sample text lines wrap around. These line wraps should be ignored.

Note:

Ignore line wrapping in syntax examples and ignore steps that do not apply to your environment or intended Opatch use.

Unless explicitly identified as relevant to only a specific condition, all steps apply to all Opatch environments. Steps that relate to only a specific condition are identified with a bold condition.

To prepare your environment and download the bundle patch:

  1. Download the latest Opatch version.

    Note:

    Use opatch -version to check if your Opatch version is the latest. If it is an earlier version of Opatch, download the latest version.
  2. Confirm and add required executables to your system PATH:

    • Check your $ORACLE_HOME to confirm that it is pointing to the right Webgate$ORACLE_HOME.

    • Confirm the required executables are in your system PATH, and add these if needed:

      which opatch

      which unzip

    To add the required executables to your system path, you need to add the path of Opatch in PATH variable using the following: 

    export PATH=$ORACLE_HOME/OPatch:$PATH
  3. Verify the OUI Inventory using one of the following commands:
    opatch lsinventory

    or

    opatch lsinventory -jdk [Path to jdk8]

    If an error occurs, contact Oracle Support and work to validate and verify the inventory setup before proceeding.

  4. On the machine that will host the bundle patch files, create a directory to store the unzipped patch (referenced later as PATCH_TOP). For example:

    Linux: /home/12.2.1.4.0/tmp

    Windows: C:\12.2.1.4.0\tmp

  5. Retrieve the Bundle Patch:

    • From My Oracle Support, click the Patches & Updates link.

    • Enter the Patch ID or Number, then click Search to display a Patch Search Results table.

    • Using the Release and Platform columns, find the desired patch, then click the associated Patch ID.

    • Download: In the page that appears, click the Download button to retrieve the packages.

  6. Unzip the patch zip file into the PATCH_TOP directory you created earlier. For example:
    unzip -d PATCH_TOP p37078094_122140_platform.zip
  7. Proceed as needed for your environment:

1.5.2 Preparing 64-Bit Oracle HTTP Server 12c WebGates on Windows 64-Bit Platforms

If you are using Windows 64-bit operating systems, you must install updated Microsoft Visual C++ 2012 libraries on the machine hosting the Oracle HTTP Server 12c WebGate for Oracle Access Manager.

To install Microsoft Visual C++ 2012 Redistributable Package (x64)

Install the Microsoft Visual C++ 2012 Redistributable Package (x64) for x64 systems, which can be downloaded from the following web site:

https://www.microsoft.com/en-us/download/details.aspx?id=30679

Proceed to Installing a WebGate Bundle Patch on Any Platform

1.5.3 Installing a WebGate Bundle Patch on Any Platform

This section describes how to install WebGate bundle patches on any platform using Oracle patch (Opatch). While individual command syntax might differ depending on your platform, the overall procedure is the same for all platforms.

The files in each bundle patch are installed into the destination ORACLE_HOME. This enables you to remove (roll back) the bundle patch even if you have deleted the original bundle patch files from the temporary directory you created.

Oracle recommends that you back up the ORACLE_HOME using your preferred method before any patch operation. You can use any method (zip, cp -r, tar, and cpio) to compress the ORACLE_HOME.

When Opatch starts, it validates the patch to ensure there are no conflicts with the software already installed in your ORACLE_HOME:

  • Conflicts with a patch already applied to the ORACLE_HOME. In this case, stop the patch installation and contact Oracle Support Services.

  • Conflicts with subset patch already applied to the ORACLE_HOME. In this case, continue installation because the new patch contains all the fixes from the existing patch in the ORACLE_HOME. The subset patch is automatically rolled back before installation of the new patch begins.

See Also:

To install a Webgate bundle patch on any platform:

  1. Before applying the bundle patch stop the node manager and OHS component.
  2. Complete all activities in Preparing All Environments and Downloading the Bundle Patch
  3. Finish preparing your deployment using one of the following topics, as needed:
  4. Log in as the same user who installed the base WebGate and:

    • Turn off the Web server associated with the protected application.

    • Back up your ORACLE_HOME.

    • Move the backup directory to another location and record this so you can locate it later, if needed.

  5. Set your current directory to the directory where the patch is located. For example:
    cd PATCH_TOP/37078094
  6. Use one of the following Opatch commands to apply the patch to your ORACLE_HOME:
    opatch apply

    or

    opatch apply -jdk [Path to jdk8]

  7. Restart the Web server.

1.5.4 Failure During WebGate Bundle Patch Installation

If there is a failure during your WebGate installation, your original WebGate installation is restored automatically.

Note:

You can check the window to see if you can discern the problem, then correct the problem and restart the bundle patch installation.

1.5.5 Rolling Back a WebGate Bundle Patch on Any System

The steps to remove a WebGate bundle patch from all systems are provided in the following procedure, if needed. While individual command syntax might differ depending on your platform, the overall procedure is the same.

Note:

If you see "Patch not present in the Oracle Home, Rollback cannot proceed", enter opatch rollback -help to get more information. If the patch was applied using -no_inventory option, use -ph option.

Rollback is not supported for Oracle HTTP Server(OHS) and Oracle Traffic Director(OTD) WebGates.

After the WebGate bundle patch is removed, the system is restored to the state it was in immediately before the bundle patch installation.

To roll back a WebGate bundle patch on any system:

  1. Perform all steps in Preparing All Environments and Downloading the Bundle Patch to verify the inventory, set any environment variables, shut down any services running from the ORACLE_HOME or host machine.
  2. Stop the WebGate Web server, and change to the directory where the patch was unzipped. For example:
    cd PATCH_TOP/37078094
  3. Back up the ORACLE_HOME directory that includes the bundle patch and move the backup to another location so you can locate it later, if needed.
  4. Run Opatch to roll back the patch. For example:
    opatch rollback -id 37078094

    or

    opatch rollback -id 37078094 -jdk PathtoJDK8
  5. Start the WebGate Web server.

1.6 Resolved Issues

This Bundle Patch provides the fixes described in the below section:

1.6.1 Resolved Issues in 12.2.1.4.240919

Table 1-2 Resolved Issues in 12.2.1.4.240919

Base Bug No Description
36945930 CANNOT AUTHENTICATE MORE THAN ONE RESOURCE WEBGATE WITH OAM 12.2.1.4.0 DCC WEBGATE IN OAP OVER REST
36828018 CVE-2024-23807
35215745 WEBGATE LOG FILES ROTATION: MAX_FILE_COUNT SETTING DOESN'T WORK IN WEBGATE 12C?
16198444 WEBGATE DOESN'T HAVE MECHANISM TO LIMIT NUMBER OF LOG FILES GENERATED
36708247 WEBGATE SUPPORT FOR PROTECTED COOKIE OPTION FOR OAMAUTHNCOOKIE

Note:

For this fix to work, set the WebGate user defined parameter 
ssoCookie=Partitioned
33974688 OAP HANDSHAKE - CONFIRM TRANSPORT IS ESTABLISHED AS PER PROFILE SETTINGS
35955438 CVE-2023-37536
30144004 OAM 12C VALIDATION NOT HAPPENING ON INCORRECT USER LOGIN IN DCC LOGIN PAGE

1.6.2 Resolved Issues in 12.2.1.4.230106

Table 1-3 Resolved Issues in 12.2.1.4.230106

Base Bug No Description
34856084 IHS SERVER FAILED TO START AFTER APPLYING WEBGATE PATCH 34848733
34256602 WEBGATE.INI FILE IS MISSING THE '1' AFTER THE INSTALLATION
33488626 WEBGATE HTTP 200 RESPONSE DOESN'T INCLUDE SECURITY DIRECTIVES FROM HTTPD.CONF

Note:

Security headers configured in Webgate user-defined parameters like X-Frame-Options, Content-Security-Policy, and so on can also be set on Webgate requests like obrar.cgi. You can disable this feature by setting setXResponsesForWG=false in Webgate's user-defined parameters.
34236162 JWT SIGNATURE VERIFICATION FAILING ON AIX DUE TO NZ API ZTPK_VERIFY RETRUNING FAILURE
34494730 OAP VIA REST WEBGATE LOGGING DOES NOT LOG UNENCRYPTED MESSAGES
34036914 WEBGATE OAP OVER HTTP SHOULD PRESERVE ECID OF OHS REQUESTS FROM END-USERS
33397046 CWG HANGS ON APACHE PREFORK MPM AWS TO OCI AFTER ONE HOUR
33398391 STRESS:FA:OAM:FMW12C: CORE DUMPS SEEN IN OHS FROM OBHTTPREQUESTHANDLER::HANDLEMESSAGE DURING LOGON_STORM TEST
33245317 LOGOUT CALLBACK NOT WORKING PROPERLY FOR IDCS WEBGATE
33088004 OHS12C WEBGATE ON CONFIGURING IN 2WAY SSL WITH OAM FIRST ACCESS GIVE ACCESS SERVER ISSUE
32074849 NEED TO SUPPORT 2-WAY SSL FOR OAP OVER REST OR HTTP
32801155 OHS 12.2.1.3.200813 (BP05) CAUSES 20 ERROR PER HOUR AFTER BEING APPLIED
32078823 WEBGATE 12C MEMORY LEAK ISSUE
32843839 NEED CASE INSENSITIVE FILTER IN CLOUD.POLICY
31918824 DELAYS WHEN LOADING RESOURCES IF ONE OR MORE NODES HAVE IPTABLES DROP

1.6.3 Resolved Issues in 12.2.1.4.210816

Table 1-4 Resolved Issues in 12.2.1.4.210816

Base Bug No Description
28793688 WEBGATE CHANGES REQUIRED FOR BUG 28562000
31115416 FRC AND EPM WORKSPACE ERROR THE REQUESTED URL CONTAINS ILLEGAL CHARACTERS.
31861763 END_URL SET TO VALUE OF LOGOUT TARGET URL INSTEAD OF USING AS QUERY PARAM NAME
32107421 DIAG: NEW 12.2.1.4.0 WEBGATE LOG SHOWS "ERROR PERFORMING LIBCURL OPERATION"

1.6.4 Resolved Issues in 12.2.1.4.200811

Table 1-5 Resolved Issues in 12.2.1.4.200811

Base Bug Number Description
31316696 OHS/WEBGATE THROWING AH00027: NO AUTHENTICATION DONE
31062117 WEBGATE : CHROME VERSION 80+ AND SAMESITE=NONE ISSUE (OTHER BROWSERS TO FOLLOW)
31134868 DIAGNOSTIC IMPROVEMENT FOR BUG#30806559 - HMAC FLOWS NEED MORE LOGGING
28200446 Fix for Bug 28200446
30884653 Fix for Bug 30884653
29213867 URL IS GIVING ACCESS MANAGER ERROR
25429284 ENHANCED THE WEBGATE LOGGING WHEN CONNECTION ISSUES ARE SEEN
29204353 OHS FAILS TO START AFTER UPGRADE FOR 11G WEBGATE

1.7 Known Issues

Known issues and their workarounds in Oracle Access Management Release 12.2.1.4.0 are described in the Oracle Access Management chapter of the Release Notes for Oracle Identity Management document. You can access the Release Notes document in the Oracle Identity Management Documentation library at the following URL:

https://docs.oracle.com/en/middleware/idm/suite/12.2.1.4/idmrn/index.html

Note:

Some known issues listed in the Release Notes for Oracle Identity Management may have been resolved by this Bundle Patch. Compare the issues listed in Resolved Issues of this document when reviewing the Release Notes for Oracle Identity Management

1.8 Documentation

This section describes the documentation that is available to support the latest bundle patch and the original release. This section provides the following topics:

1.8.1 Oracle Access Manager Manuals and Release Notes

You can find release notes and manuals on Oracle Technology Network (OTN). If you already have a user name and password for OTN, you can go directly to the documentation section of the OTN Web site at:

http://www.oracle.com/technetwork/indexes/documentation/index.html

Oracle Access Manager 12c documentation link:

https://docs.oracle.com/en/middleware/idm/access-manager/12.2.1.4/index.html

1.8.2 Patch Set Notes and Bundle Patch Notes

You can download notes with software patches and bundle patches from My Oracle Support (formerly MetaLink) at:

http://support.oracle.com

This document, Oracle Access Manager WebGate Release Notes Bundle Patch 12.2.1.4.240919 for All Server Platforms, provides the following information for this specific bundle patch release:

  • General information about bundle patches.

  • General WebGate bundle patch requirements and installation details.

  • Details about what is included in the Webgate bundle patch.

The Oracle Access Manager WebGate Release Notes Bundle Patch 12.2.1.4.240919 for All Server Platforms is available in HTML format, as readme.htm, that you can view without downloading the zip file.

1.8.3 Certification Documentation

Certification Matrix

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

Oracle Fusion Middleware Requirements

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirements-100147.html

Oracle Fusion Middleware Downloads

http://www.oracle.com/technetwork/middleware/downloads/index-087510.html

1.9 Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible to all users, including users that are disabled. To that end, our documentation includes features that make information available to users of assistive technology.

This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at http://www.oracle.com/accessibility/.

Accessibility of Code Examples in Documentation

Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation

This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

Deaf/Hard of Hearing Access to Oracle Support Services

To reach Oracle Support Services, use a telecommunications relay service (TRS) to call Oracle Support at 1.800.223.1711. An Oracle Support Services engineer will handle technical issues and provide customer support according to the Oracle service request process. Information about TRS is available at http://www.fcc.gov/cgb/consumerfacts/trs.html.