This document describes OAM Bundle Patch 12.2.1.4.241227.
This document requires a base installation of Oracle Access Management 12c Patch Set 4 (12.2.1.4.0). This supersedes the documentation that accompanies Oracle Access Management 12c Patch Set 4 (12.2.1.4.0) and contains the following sections:
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.241009
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.240701
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.240328
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.240109
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.231005
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.230628
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220906
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220404
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220113
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.210920
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.210408
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.201201
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200909
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200629
-
New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200327
1.1 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.241009
Oracle Access Management 12.2.1.4.241009 BP includes the following new features and enhancements:
-
Setting the GCM API Key
Google is deprecating legacy FCM APIs and migrating to HTTP v1 APIs. For all new configurations, it is recommended to use HTTP v1 APIs. For the steps to migrate to HTTP v1 APIs, see Migrating to service account JSON for Android Push Notifications.
-
Automating SAML Certificate or Key or Metadata Rotation
You can schedule the retrieval of new partner certificates and metadata via a REST endpoint and seamlessly rotate the updated credentials across all dependent systems and applications without any downtime. For more details, see Automating SAML Certificate or Key or Metadata Rotation.
-
Ability to Load the Fusion Page in Visual Builder (VB)
In the Chrome browser, some OAM cookies were blocking the Fusion page from loading in the Visual Builder (VB) after the third-party cookies were deprecated. With this release, Cookies Having Independent Partitioned State (CHIPS) support is added for OAM/Webgate cookies to overcome this issue. For more details, see OAM Cookies Block the Fusion Page from Loading in VB after the 3rd Party Cookies are Deprecated.
-
Ability to Retrieve an ID Token Through an Authorization Code
You can retrieve both access and ID tokens when using the refresh token in the authorization code. For more details, see Getting IDtoken via a Refresh Token Request.
-
Best Practices for Oracle Access Manager (OAM) OAuth Security
Added best practices for OAM OAuth security that highlight the possible threats and strategies to mitigate those risks. For more details, see Best Practices for Oracle Access Manager (OAM) OAuth Security.
-
OAA Error Handling Plugins
Added new plugins to support MFA on the User Preferences page. For more details, see OAA Error Handling Plugins.
-
Ability to Add Partner Signing and Encryption Keys
A new Key Configuration section was added to the OAM Console allowing you to select the partners signing and encryption keys when creating a new Identity Provider (IdP) or Service Provider (SP). For more details, see Use Oracle Access Manager to sign on to Oracle Private Cloud Appliance.
-
Ability to Configure Reuse Detection for Refresh Tokens
Added a new property to detect the reuse of the Refresh Tokens. For more details, see Configuring reuse detection for Refresh Tokens.
1.2 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.240701
Oracle Access Management 12.2.1.4.240701 BP includes the following new features and enhancements:
-
Connecting with Messaging Server
If you configured push notifications for Android then you should migrate to HTTP v1 API's by following the steps mentioned in Migrating to service account json for Android Push Notification.
-
Enhanced OAM 12c OAuth to Support RS512 in Addition to RS256 (Default) as the Crypto Algorithm for Signing the OAuth Token
-
Introduced an OAuth system property (
-DoauthRS512Enabled=true
) to enforceRS512
crypto algorithm when enabled across all OAuth Identity Domains (Default -RS256
). Add the system property to setDomainEnv.sh
to enable this feature. -
Introduced an OAuth custom attribute (
oauthRS512Enabled=true
) to enforceRS512
crypto algorithm when enabled on specific OAuth Identity Domains (Default -RS256
).
Note:
When both are set the system property overrides the OAuth Identity Domain custom attribute in enforcing theRS512
crypto algorithm. -
1.3 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.240328
Oracle Access Management 12.2.1.4.240328 BP includes the following new features and enhancements:
-
User Password Change Validation
Setting theuserPasswordChangeCheckEnabled=true
property inoam-config.xml
validates the tokens generated before the user password update. If the user updates or changes the password after retrieving the access tokens then those access tokens generated before the password update will be invalid. The user will need to regenerate the access tokens after the password is updated. For details, see Enabling User Password Change Validation.Note:
Perform a GET operation on the/DeployedComponent/Server/NGAMServer/Profile/ssoengine/OAuthConfig
endpoint and a PUT operation on the same endpoint to enable User Password Change Validation feature. It ensures that the configuration that has already been applied continues to be effective. -
Ability to Customize Issuer Discovery Identifier and Iss Token Claim
With the implementation of this enhancement, you can mask or omit the port from the issuer and customize the path component in the OpenID configurations. For details, see Custom Issuer Support.Note:
Perform a GET operation on the/DeployedComponent/Server/NGAMServer/Profile/ssoengine/OAuthConfig
endpoint and a PUT operation on the same endpoint to enable Custom Issuer Support feature. It ensures that the configuration that has already been applied continues to be effective. -
Ability to Change Default Consent Acknowledgment Expiry Time
A new custom attribute
consentAcknowledgeExpiryTimeInSeconds
allows you to change the default expiry time to acknowledge the consent approval. For details, see Changing Default Consent Acknowledgment Expiry Time. -
Ability to Set the Expiry Time for ID_TOKEN
You can set a token validity/expiry time for ID_TOKEN instead of using the validity/expiry time in the ACCESS_TOKEN settings. For details, see Creating an Identity Domain.
-
Client Secret Expiration and Rotation
By using the custom attribute
oldSecretRetentionTimeInDays
, you can configure the time for which the old client secret will continue to work. This custom attribute can be defined both at the domain-level and at the client-level. However, the value defined at the client-level takes precedence. For details, see Creating an Identity Domain. -
Added New Field to View API Key
With this release a new field API Key is added in the partner details screen. This field allows administrators to share the key details with the relevant partners for secure updates. For details, see Configuring the Signing and Encryption Key.
-
Ability to Check Authentication Context When OAM is Acting as a Service Provider (SP)
If OAM is acting as a SP, it identifies the Authentication Context of any external SAML Identity Provider (IdP) and proceeds with the SAML authentication based on the
authnassurancelevel
property. For details, see Checking Authentication Context when OAM is acting as SP. -
Ability to Mask SAML Response Attributes in OAM Log Messages
With this release, Oracle Access Management masks SAML Response attributes in OAM log messages. For details, see Masking SAML Attributes in Log Records.
1.4 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.240109
Oracle Access Management 12.2.1.4.240109 BP includes the following new features and enhancements:
- Propagating an Error Code from OAA Application to the OAM
Login Page
This enhancement propagates an error code from Oracle Advanced Authentication (OAA) application to OAM login page. The login page can be customized to show the error message propagated from OAA.
The following error codes are supported:-
Error code: OAA-00001
Reason: User Registration was incomplete.
Cause: No factors registered.
-
Error code: OAA-00002
Reason: User did not have any usable factors.
Cause: Maxed out of allowed authentication attempts. Matching factor(s) are disabled. No required factor(s) available for matching Policy.
-
Error code: OAA-00003
Reason: User authentication failure.
Cause: User did not submit valid authentication data.
-
Error code: OAA-00004
Reason: System temporarily unavailable.
Cause: Unexpected failure in Service during login. For example, Failure to send a challenge (Push, Email, SMS), Database outage.
-
- Enhancing OAM Session Management Endpoints
Introduced a mechanism to authorize OAM endpoints using TAP Tokens.
- Added Null Checks for Programmatic Authn REST InterfacesThe following fixes are made as a part of this enhancement:
- Resolved the Null Pointer Exception that occurs when No Auth is selected as the authentication method.
- In the session validation API, Null Pointer throws an exception when a
random string is supplied as an
OAM_RM
token.
- Added
PublicClientRefreshTokenEnabled
Client Custom Attribute to Obtain a Refresh Token with a Public ClientBy default it is not possible to obtain a refresh token with a public client. ThePublicClientRefreshTokenEnabled
client custom attribute allows you to change this behavior. To enable the feature set the attribute value to true. For example, create theoauth
public client with the following command:curl -X POST http://<AdminServerHost:Port>/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client -H 'Authorization:Basic d2VibG9naWM6d2VsY29tZTE=' -H 'Content-Type: application/json' -d '{"id":"PublicClientId","name":"PublicClient","scopes":["ResServer1.scope1"],"clientType":"PUBLIC_CLIENT","secret":"welcome1","idDomain":"TestDomain1","description":"Client Description","grantTypes":["PASSWORD","CLIENT_CREDENTIALS","JWT_BEARER","REFRESH_TOKEN","AUTHORIZATION_CODE"],"defaultScope":"ResourceServerOud1.scope1","redirectURIs":[{"url":http://localhost:8080/Sample.jsp,"isHttps":true}], "attributes":[{"attrName":"PublicClientRefreshTokenEnabled","attrValue":"true","attrType":"static"}]}'
- Added
GrantTypeRefreshTokenEnabled
Client Custom Attribute to Return a Refresh Token Along with a New Access TokenBy default, when the grant type isrefresh_token
, only a new access token is returned. TheGrantTypeRefreshTokenEnabled
client custom attribute allows you to have a refresh token returned as well. To enable the feature set the attribute value to true. For example, create theoauth
confidential client with the following command:curl -X POST http://<AdminServerHost:Port>/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client -H 'Authorization:Basic d2VibG9naWM6d2VsY29tZTE=' -H 'Content-Type: application/json' -d '{"id":"TestClientId","name":"TestClient","scopes":["ResServer1.scope1"],"clientType":"CONFIDENTIAL_CLIENT","secret":"welcome1","idDomain":"TestDomain1","description":"Client Description","grantTypes":["PASSWORD","CLIENT_CREDENTIALS","JWT_BEARER","REFRESH_TOKEN","AUTHORIZATION_CODE"],"defaultScope":"ResServer1.scope1","redirectURIs":[{"url":http://localhost:8080/Sample.jsp,"isHttps":true}], "attributes":[{"attrName":"GrantTypeRefreshTokenEnabled","attrValue":"true","attrType":"static"}]}'
Note:
To revoke the oldrefresh_token
while invoking therefresh_token
grant type set the system property-Doauth.auto.revoke.enabled=true
. The default value of this system property is false. - Support for
Response_mode
in the Authorization Code Grant FlowThis enhancement allows 3-legged OAM OAuth 2.0 workflow API (
/oauth2/rest/authorize
) to respond in different modes like fragment , query orform_post
by specifyingresponse_mode
as a query parameter. - Support for 3-legged OAuth 2.0 Workflow to Return the Appropriate Response
Mode
This enhancement ensures that 3-legged OAM OAuth 2.0 workflow API (
/oauth2/rest/authorize
) returns the appropriate response moderesponse_mode=form_post
if the consent expiry time has been set. - Support for Limiting PIN Generation During the Second Factor
Authentication
New properties
MaxSendAttempts
andMaxSendAttemptsLockoutEnabled
are added to the Adaptive Authentication Plugin to limit the PIN generation during the Second Factor Authentication. For details, see Limiting PIN Generation During the Second Factor Authentication.
1.5 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.231005
Oracle Access Management 12.2.1.4.231005 BP includes the following new features and enhancements:
- New Parameter to Fetch the Authorization Grant Details
Added a new parameter response_mode to fetch the authorization grants to redirect_uri. For details, see Table 39-7 Parameter Values for response_mode.
- Support for Authentication in Multiple Browser Tabs
OAM supports multi-tab feature when serverRequestCacheType parameter is set to COOKIE. For details, see Supporting Authentication in Multiple Browser Tabs.
- OAM OAuth2 Runtime Endpoint to Support Domain as a Query
ParameterA new query parameter identityDomain is added to the oauth2 runtime endpoint instead of the header parameter X-OAUTH-IDENTITY-DOMAIN-NAME. The header parameter X-OAUTH-IDENTITY-DOMAIN-NAME is not required when identityDomain is provided. If both parameters are used, X-OAUTH-IDENTITY-DOMAIN-NAME will take precedence over identityDomain. For details, see:
- OAM OAuth2 Token Validation URL Supports Passing access_token both
as a Header and as a Query Parameter
The access_token can be passed either as a header parameter or as a query parameter in the token validation URL. New syntax to initiate access_token as a header and as a query parameter are included in the REST API for OAuth. For details, see Validate Access Token Flow.
1.6 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.230628
Oracle Access Management 12.2.1.4.230628 BP includes the following new features and enhancements:
- Support for Administering a Secret Key
OAM supports administering a secret key using an access token with the BEARER authorization header by enabling the Secret Key Lifecycle feature.
For more information, see Administering a Secret Key.
- Access Token Exchange Support in OAM
Support for token exchange is made available in this release.
For more information, see Token Exchange Support in OAM.
- OpenIdConnectPlugin plugin to Set Tokens as Session ResponsesOIDC token values can be retrieved using policy authorization responses (header or cookie) using the following expressions:
- For the access token: $session.attr.oidc.token.access
- For the refresh token: $session.attr.oidc.token.refresh
- For the ID token: $session.attr.oidc.token.id
In a custom plugin, the following authentication context parameters can be used to obtain access token information:- token_response: full response from the token endpoint
- access_token: access token value
- refresh_token: refresh token value
- idtoken: id token value
- Functionality to Allow Cache Controlled by Request URLIntroduce an exception list to avoid caching of authorization policy results on Webgate specific resources. The following WLST commands are available for managing the exception list:
configureWGAuthzCachingExceptionListUrls(noCacheURL, action)
Example:configureWGAuthzCachingExceptionListUrls("exceptionUrl", "add/remove")
- This WLST command can be used to add or remove URLs from the Webgate Authorization Caching Exception List on OAM Server.
- '
action
' can be specified as 'add
' or 'remove
' to operate accordingly onExceptionList
configureWGAuthzCachingExceptionList(enabled, matchCriteria = "exactMatch", withQuery = "false")
Example:configureWGAuthzCachingExceptionList("true/false", matchCriteria = "exactMatch/startsWith", withQuery = "true/false")
- This WLST command can be used to enable or disable the Webgate Authorization Caching Exception List on OAM Server.
- '
matchCriteria
' can be specified as 'exactMatch
' or 'startsWith
', with default being 'exactMatch
' - '
withQuery
' can be specified as 'true
' or 'false
', with 'false
' being the default meaning query-string from URL in Webgate authorization request will be ignored.
1.7 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220906
Oracle Access Management 12.2.1.4.220906 BP includes the following new features and enhancements:
- Federation Partners Support Certificates Using RSASSA-PSS Signature
Algorithms
OAM 12.2.1.4.220906 BP includes support for the Signature Algorithm SHA256-RSA-MGF1.
Note:
This update is dependent on OWSM patch 34839859.For details, see Configuring RSA OAEP Key Transport Digest and MGF Digest.
- The OAuth Client GET REST API is Enhanced to Retrieve the Client
Secret
For use cases that require the administrators to display the client secret for registered clients in their admin portals. This feature needs to be enabled after applying the patch for the new behavior to take effect, so the secret for the clients that get registered after enabling this feature can be retrieved using the API. For existing clients that were registered before enabling the feature, the previous behavior of returning hashed secrets will continue.
For details, see Manage OAuth Client Secret Retrieval.
1.8 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220404
Oracle Access Management 12.2.1.4.220404 BP includes the following new features and enhancements:
-
Make the OAM_ID Cookie Domain Scoped, Instead of Host Scoped
Support has been added to add a cookie domain for the OAM_ID cookie. This can be enabled by setting the configuration parameter
SSOCookieDomainEnabled
to true. The cookie domain for the cookie must be set through the configuration propertySSOCookieDomain
. These updates must be done in theoam-config.xml
file using the import utility. A server restart is required after the import.For details, see bug 33291908 in Table 1-12.
1.9 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.220113
Oracle Access Management 12.2.1.4.220113 BP includes the following new features and enhancements:
-
Support for OAuth Custom Claims Plugin
For details, see the note
Oracle Access Manager (OAM) Federation Protocol OAUth - Elaborated Steps For <Patch:28228295> (Doc ID 2817030.1)
at https://support.oracle.com
1.10 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.210920
Oracle Access Management 12.2.1.4.210920 BP includes the following new features and enhancements:
-
OAM SAML 2.0 Supported Encryption Algorithms
OAM supports AES-GCM encryption modes.
For details, see OAM SAML 2.0 Supported Encryption Algorithms and Changing Default Encryption Algorithm.
-
Two-way SSL for OAP over REST Communication.
You can enable mutual authentication for OAP over REST between WebGate and OAM Server, therefore ensuring that the Server communicates with authentic clients.
For details, see Enabling two-way SSL for OAP over REST.
-
TOTP-based Multi Factor Authentication in OAM
You can configure MFA using the
configureMFA
command withconfig-utility.jar
.For details, see Configuring TOTP-based Multi Factor Authentication in OAM.
-
Token Signing Using Third-Party Certificates
Access tokens can be signed using a self-signed key pair generated out-of-the-box. In this release, OAM extends the support to allow signing of access tokens using third-party key pairs.
For details, see Token Signing Using Third-Party Certificates.
-
Mutual-TLS (mTLS) Client Authentication in OAM
In TLS authentication, the server confirms its identity by producing a certificate (public key), which is then verified by the TLS verification process. In mTLS (mutual-TLS), along with the server, the client's identity is also verified. The TLS handshake is utilized to validate the client's possession of the private key corresponding to the public key in the certificate and to validate the corresponding certificate chain.
For details, see Configuring Client Authentication and Configuring mTLS Client Authentication.
-
Custom Claims
OAM extends the ability to define custom claims using templates that can be configured at the client or domain level. The custom claims can be included in all access tokens, ID tokens and userinfo output. You can perform value transformations as well as value filtering of the custom claim.
For details, see Custom Claims.
-
OAuth Access Token Maximum Size
Default OAuth access token length limit has been increased to
7500
. This value can be overridden using the OAuth Identity domain custom parameteraccessTokenMaxLength
. -
OAuth Client Update - Support for
PATCH
RequestIntroduces support for
PATCH
request during modification of OAuth clients. WithPATCH
operation, OAM appends existing scopes with values from the request. Similar behavior is provided for redirect_uris, grant types, and custom attributes. The existingPUT
operation replaces the contents of OAuth client parameters with the values from the request.
1.11 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.210408
Oracle Access Management 12.2.1.4.210408 BP includes the following new features and enhancements:
-
Session Management Optimizations
Session Management Engine has been optimized and tuned to provide improved system performance under load.
See also Database Tuning for Oracle Access Management in the Tuning Performance Guide.
-
OAuth Refresh Token Management
OAuth Token Management capabilities have been enhanced with the ability to invalidate Refresh Tokens.
For details, see Revoking OAuth Tokens in Administering Oracle Access Management.
-
12c WebGates for Apache and IIS Web Servers
WebGates for IIS and Apache Web Servers are made available in this release.
For details, see Installing and Configuring IIS 12c WebGate for OAM in Installing WebGates for Oracle Access Manager.
-
Support for TLS 1.3 & FIPS 140-2
This release is compliant with the latest FIPS and TLS standards and versions.
For details, see Enabling FIPS Mode on Oracle Access Management and TLS 1.3 and TLS 1.2 Support in Oracle Access Management in Administering Oracle Access Management.
1.12 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.201201
Oracle Access Management 12.2.1.4.201201 BP includes the following new features and enhancements:
-
Proof Key for Code Exchange (PKCE) Support in OAM
Introduces PKCE support in the existing OAM OAuth Authorization Code Grant Flow. It can be used to enhance the security of the existing 3-legged OAuth, mitigating possible authorization code interception attacks. You can enable PKCE at the domain level or just for a specific client.
For details, see Proof Key for Code Exchange (PKCE) Support in OAM in Administering Oracle Access Management.
-
Keep the OAUTH_TOKEN Response Unset
OAM provides an option to not set the
OAUTH_TOKEN
cookie or header when SSO Session Linking is enabled. You must set the challenge parameterIS_OAUTH_TOKEN_RESPONSE_SET
tofalse
.Note:
IfIS_OAUTH_TOKEN_RESPONSE_SET
is not configured, or set totrue
then theOAUTH_TOKEN
cookie/header is set.
1.13 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200909
Oracle Access Management 12.2.1.4.200909 BP includes the following new features and enhancements:
-
Support for AWS Role Mapping Attribute in SAML Response
Introduces a new function that can be configured in SP Attribute Profile for supporting the AWS role mapping attribute in SAML response.
For details, see AWS Role Mapping Attribute in SAML Response in Administering Oracle Access Management.
-
Support for Attribute Value Mapping and Filters in OAM Federation
OAM federation supported Attribute Name Mapping. It extends the support for Attribute Value Mapping and Attribute Filtering features.
For details, see Using Attribute Value Mapping and Filtering in Administering Oracle Access Management.
1.14 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200629
Oracle Access Management 12.2.1.4.200629 BP includes the following new features and enhancements:
-
Support for SameSite=None Attribute in OAM Cookies
OAM adds
SameSite=None
attribute to all the cookies set by WebGate and OAM Server.Note:
- You must also download and upgrade to the latest WebGate Patch for this
feature to work. For details, see the note
Support for SameSite Attribute in Webgate (Doc ID 2687940.1)
at https://support.oracle.com. - See also the note
Oracle Access Manager (OAM): Impact Of SameSite Attribute Semantics (Doc ID 2634852.1)
at https://support.oracle.com.
Optional Configurations on OAM Server
- If SSL/TLS is terminated on Load Balancer (LBR) and OAM server is not
running in SSL/TLS mode, set the following system property in setDomainEnv.sh:
-Doam.samesite.flag.value=None;secure
Alternatively, you can propagate the SSL/TLS context from the LBR or Web Tier to OAM Server. For details, see
Doc ID 1569732.1
at https://support.oracle.com. - To disable the inclusion of
SameSite=None
by OAM Server, set the following system property in setDomainEnv.sh:-Doam.samesite.flag.enable=false
- To set
SameSite=None
for non-SSL/TLS HTTP connections, set the following system property in setDomainEnv.sh:-Doam.samesite.flag.enableNoneWithoutSecure=true
Example: To add the system properties to setDomainEnv.sh:- Stop all the Administration and Managed Servers.
- Edit
$OAM_DOMAIN_HOME/bin/setDomainEnv.sh
and add the properties as shown below:EXTRA_JAVA_PROPERTIES="-Doam.samesite.flag.enable=false ${EXTRA_JAVA_PROPERTIES}" export EXTRA_JAVA_PROPERTIES
- Start the Administration and Managed Servers.
Optional Configurations for WebGate
- If SSL/TLS is terminated on LBR and OAM Webgate WebServer is not running in SSL/TLS mode, set the ProxySSLHeaderVar in the User Defined Parameters configuration to ensure that WebGate treats the requests as SSL/TLS. For details, see User-Defined WebGate Parameters.
- To disable inclusion of
SameSite=None
by OAM WebGate, setSameSite=disabled
in the User Defined Parameters configuration on the console. This is a per-agent configuration. - To set
SameSite=None
for non-SSL HTTP connections, setEnableSameSiteNoneWithoutSecure=true
in the User Defined Parameters configuration on the console. This is a per-agent configuration.
Note:
In deployments using mixed SSL/TLS and non-SSL/TLS components: For non-SSL/TLS access, OAM Server and Webgate do not set
SameSite=None
on cookies. Some browsers (for example, Google Chrome) do not allowSameSite=None
setting on non-secure (non-SSL/TLS access) cookies, and therefore may not set cookies if a mismatch is found.Therefore, it is recommended that such mixed SSL/TLS and non-SSL/TLS deployments are moved to SSL/TLS only deployments to strengthen the overall security.
- You must also download and upgrade to the latest WebGate Patch for this
feature to work. For details, see the note
-
X.509 Authentication with Extended Key Usage (EKU)
In X.509 authentication flows, Extended Key Usage (EKU) certification extension check can be added optionally to ensure that the usage of the certificate is allowed.
For details, see X.509 Authentication Using Extended Key Usage (EKU) in Administering Oracle Access Management.
1.15 New Features and Enhancements in OAM Bundle Patch 12.2.1.4.200327
Oracle Access Management 12.2.1.4.200327 BP includes the following new features and enhancements:
-
OAuth Consent Management
Provides the capability to manage and persist user consents while providing a mechanism to revoke them across Data Centers. The consent revocation capability is provided for both Administrators as well as individual users.
For details, see Enabling Consent Management and Enabling Consent Management on MDC in Administering Oracle Access Management.
- OAuth Just-In-Time (JIT) User Linking and Creation
Provides the capability to provision users automatically. The ID Token as received from the Identity Provider (IdP) has user attributes. These user attributes can have values like userId, user name, first name, last name, email address and so on, which could be used for linking users to entries in the local User Identity Store or create them, if they do not exist.
For details, see OAuth Just-In-Time (JIT) User Provisioning in Administering Oracle Access Management.
- OAM Snapshot Tool
Provides tooling to create a snapshot of the OAM IDM Domain with all its configurations, persist it and use it for creating fully functional OAM IDM Domain clones.
For details, see Using the OAM Snapshot Tool in Administering Oracle Access Management.
- SAML Holder-of-Key (HOK) Profile Support
SAML Holder-of-Key (HOK) profile support is added for OAM when acting as an Identity Provider (IdP). This support is with OCI Service Provider (SP) Partners.
For details, see the note
OAM 12c Identity Provider (IDP) for SAML Profile Support with OCI Service Provider (SP) Partners (Doc ID 2657717.1)
at https://support.oracle.com.
1.16 Understanding Bundle Patches
Describes Bundle Patches and explains differences between Stack Patch Bundles, Bundle Patches, interim patches and Patch Sets.
1.16.1 Stack Patch Bundle
Stack Patch Bundle deploys the IDM product and dependent FMW patches using a
tool. For more information about these patches, see Quarterly Stack Patch
Bundles (Doc ID 2657920.1)
at https://support.oracle.com.
1.16.2 Bundle Patch
A Bundle Patch is an official Oracle patch for Oracle Fusion Middleware components on baseline platforms. In a Bundle Patch release string, the fifth digit indicated the bundle patch number. Effective November 2015, the version numbering format has changed. The new format replaces the numeric fifth digit of the bundle version with a release date in the "YYMMDD" format where:
-
YY is the last 2 digits of the year
-
MM is the numeric month (2 digits)
-
DD is the numeric day of the month (2 digits)
Each Bundle Patch includes the libraries and files that have been rebuilt to implement one or more fixes. All fixes in the Bundle Patch have been tested and are certified to work with one another.
Each Bundle Patch is cumulative: the latest Bundle Patch includes all fixes in earlier Bundle Patches for the same release and platform. Fixes delivered in Bundle Patches are rolled into the next release.
1.16.3 Interim Patch
In contrast to a Bundle Patch, an interim patch addresses only one issue for a single component. Although each interim patch is an official Oracle patch, it is not a complete product distribution and does not include packages for every component. An interim patch includes only the libraries and files that have been rebuilt to implement a specific fix for a specific component.
You may also know an interim patch as: security one-off, exception release, x-fix, PSE, MLR, or hotfix.
1.16.4 Patch Set
A Patch Set is a mechanism for delivering fully tested and integrated product fixes that can be applied to installed components of the same release. Patch Sets include all fixes available in previous Bundle Patches for the release. A Patch Set can also include new functionality.
Each Patch Set includes the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). However, a patch set might not be a complete software distribution and might not include packages for every component on every platform.
All fixes in the Patch Set have been tested and are certified to work with one another on the specified platforms.
1.17 Recommendations
Oracle has certified the dependent Middleware component patches for Identity Management products and recommends that Customers apply these certified patches.
For more information on these patches, see the note Certification
of Underlying or Shared Component Patches for Identity Management Products (Doc ID
2627261.1)
at https://support.oracle.com.
1.18 Bundle Patch Requirements
To remain in an Oracle-supported state, apply the Bundle Patch to all installed components for which packages are provided. Oracle recommends that you:
- Apply the latest Bundle Patch to all installed components in the bundle.
- Keep OAM Server components at the same (or higher) Bundle Patch level as installed WebGates of the same release.
1.19 Applying the Bundle Patch
The following topics help you, as you prepare and install the Bundle Patch files (or as you remove a Bundle Patch should you need to revert to your original installation):
Note:
-
You must install the following mandatory patches:
- OPSS: 36316422
- OWSM: 37035947
- OINAV: 37054395
- WLS Patch: 37453807
- libovd: 36649916
- EM one-off: 34542329
- ADF: 37388935
- Coherence: 37351860
- FMW Thirdparty Bundle: 37374672
-
From March 2024, the Oracle Access Manager (OAM) components using SIMPLE-mode certificates for communication will not work, resulting in an outage in the OAM environment, unless preventive measures are taken. For more information, see March 2024 Expiration Of The Oracle Access Manager (OAM) Out Of The Box Certificates (Doc ID 2949379.1) at https://support.oracle.com.
1.19.1 Using the Oracle Patch Mechanism (OPatch)
The Oracle patch mechanism (OPatch) is a Java-based utility that runs on all supported operating systems. OPatch requires installation of the Oracle Universal Installer.
Note:
Oracle recommends that you have the latest version of OPatch from My Oracle Support. OPatch requires access to a valid Oracle Universal Installer (OUI) Inventory to apply patches.
Patching process uses both unzip and OPatch executables. After sourcing the
ORACLE_HOME
environment variable, Oracle recommends that you
confirm that both of these exist before patching. OPatch is accessible
at:$ORACLE_HOME/OPatch/opatch
When OPatch starts, it validates the patch to ensure there are no conflicts with the
software already installed in your $ORACLE_HOME
:
-
If you find conflicts with a patch already applied to the
$ORACLE_HOME
, stop the patch installation and contact Oracle Support Services. -
If you find conflicts with a subset patch already applied to the
$ORACLE_HOME
, continue the Bundle Patch application. The subset patch is automatically rolled back before the installation of the new patch begins. The latest Bundle Patch contains all fixes from the previous Bundle Patch in$ORACLE_HOME
.
This Bundle Patch is not -auto flag enabled. Without the -auto flag, no servers need to be running. The Machine Name & Listen Address can be blank on a default install.
Perform the steps in the following procedure to prepare your environment and download OPatch:
-
Log in to My Oracle Support: https://support.oracle.com/
-
Download the required OPatch version.
-
Use
opatch -version
to check if your OPatch version is the latest. If it is an earlier version of OPatch, download the latest version. -
Confirm if the required executables opatch and unzip are available in your system by running the following commands:
Run which opatch
- to get path of OPatchRun which unzip
- to get path of unzipCheck if the path of the executables is in the environment variable "PATH", if not add the paths to the system PATH.
-
Verify the OUI Inventory using the following command:
opatch lsinventory
Windows 64-bit:
opatch lsinventory -jdk c:\jdk180
If an error occurs, contact Oracle Support to validate and verify the inventory setup before proceeding. If the
ORACLE_HOME
does not appear, it might be missing from the Central Inventory or the Central Inventory itself could be missing or corrupted. -
Review information in the next topic Applying the OAM Bundle Patch
1.19.2 Applying the OAM Bundle Patch
Use information and steps here to apply the Bundle Patch from any platform using Oracle patch (OPatch). While individual command syntax might differ depending on your platform, the overall procedure is platform agnostic.
The files in each Bundle Patch are installed into the destination
$ORACLE_HOME
. This enables you to remove (roll back) the Bundle
Patch even if you deleted the original Bundle Patch files from the temporary
directory you created.
Note:
Oracle recommends that you back up the $ORACLE_HOME
using your
preferred method before any patch operation. You can use any method (zip, cp -r,
tar and cpio) to compress the $ORACLE_HOME
.
Formatting constraints in this document might force some sample text lines to wrap around. These line wraps should be ignored.
To apply the OAM Bundle Patch
OPatch is accessible at $ORACLE_HOME/OPatch/opatch
. Before
beginning the procedure to apply the Bundle Patch be sure to:
-
Set
ORACLE_HOME
For example:
export ORACLE_HOME=/opt/oracle/mwhome
-
Run
export PATH=<<Path of OPatch directory>>:$PATH
to ensure that the OPatch executables appear in the system PATH. For example:export PATH=$ORACLE_HOME/OPatch:$PATH
1.19.3 Applying the OAM Bundle Patch in Multi Data Center (MDC)
Use the information and steps described here to apply the Bundle Patch in an MDC setup.
It is recommended that you upgrade or patch the Master data center followed by each of the Clone data centers.
- Upgrade or apply the patch on the Master data center. For more information, see Applying the OAM Bundle Patch.
- Disable Automated Policy Synchronization (APS) between Master and the Clone data center that needs to be patched. For details, see Disabling Automated Policy Synchronization in Administering Oracle Access Management.
- Ensure that
WriteEnabledFlag
istrue
in oam-config.xml. If it is not enabled, set theWriteEnabledFlag
totrue
in Clone data center using the following WLST commands.connect('weblogic','XXXX','t3<a target="_blank" href="://localhost:7001'">://localhost:7001'</a>) domainRuntime() setMultiDataCenterWrite(WriteEnabledFlag="true")
- Upgrade or apply the patch on the Clone data center.
- Change the
WriteEnabledFlag
tofalse
in the Clone data center using the following WLST commands:connect('weblogic','XXXX','t3<a target="_blank" href="://localhost:7001'">://localhost:7001'</a>) domainRuntime() setMultiDataCenterWrite(WriteEnabledFlag="false")
Note:
The Clone data center must be made write-protected before enabling APS to ensure that there are no inconsistencies between the data centers. - Re-enable APS between Master and the upgraded Clone data center. For details, see Enabling Automated Policy Synchronization in Administering Oracle Access Management.
1.19.4 Recovering From a Failed Bundle Patch Application
If the AdminServer does not start successfully, the Bundle Patch application has failed.
- Confirm that there are no configuration issues with your patch application.
- Confirm that you can start the AdminServer successfully.
- Shut down the AdminServer and rollback the patch as described in Removing the Bundle Patch then apply the Bundle Patch again.
1.20 Removing the Bundle Patch
If you want to rollback a Bundle Patch after it has been applied, perform the following steps. While individual command syntax might differ depending on your platform, the overall procedure is the same. After the Bundle Patch is removed, the system is restored to the state it was in immediately before patching.
Note:
- Removing a Bundle Patch overrides any manual configuration changes that were made after applying the Bundle Patch. These changes must be re-applied manually after removing the patch.
- Use the latest version of OPatch for rollback. If older versions of the
OPatch is used for rollback, the following fail message is
displayed:
C:\Users\<username>\Downloads\p37430708_122140_Generic\37430708 >c:\Oracle\oam12214\OPatch\opatch rollback -id 37430708 Oracle Interim Patch Installer version 13.9.2.0.0 Copyright (c) 2020, Oracle Corporation. All rights reserved. ...... The following actions have failed: Malformed \uxxxx encoding. Malformed \uxxxx encoding.
Follow these instructions to remove the Bundle Patch on any system.
1.21.1 Resolved Issues in OAM Bundle Patch 12.2.1.4.241227
Table 1-1 Resolved Issues in OAM Bundle Patch 12.2.1.4.241227
Base Bug Number | Description of the Problem |
---|---|
36834063 | WLST SAVEACCESSARTIFACTS AND DOWNLOADACCESSARTIFACTS DISPLAY OAM SCHEMA PASSWORD |
37205986 | ERROR IN MAPPING NEW OAUTH DOMAIN CERT VIA END POINT - KEYPAIRADMIN/KEYPAIR |
35730510 | OAM12C: FMWCONFIG\KEYSTORES.XML GETS TRUNCATED WITH ADMINSERVER RESTART |
37056339 | INCORRECT ERROR THROWN FOR LDAPCONNECTIONEXCEPTION ERRORS |
37143199 | OAM 12C - USERPASSWORDCHANGECHECKENABLE GENERATES NPE WHEN USED WITH IDS PROFILE |
36404773 | PKCE ISSUE AFTER OAM PATCHING |
37166257 | Fix for Bug 37166257 |
36607545 | OAM SESSION SUPPORTS ONLY 5 LARGE ENCODED OBJECTS |
37041275 | APRIL 24 BP: ERROR ON LOGIN WHEN LANGUAGE PICKER IS ENABLED AND ADAPTIVE MODULE IS USED |
36928507 | GETPARTNER API AFTER UPDATING THE PARTNER DETAILS IS NOT RETURNING FEW PARAMETERS OF PARTNER |
37164042 | QUERY PARAMETERS STRIPPED FROM BACKURL AFTER PASSWORD CHANGE |
36117541 | WEBSERVER HOST ADDED AS INVALID AGENT TO MONITORING TOOLS AFTER
UPGRADE TO PS4
The following system property must be set to false in
setDomainEnv.sh file to use this
feature:
|
36963201 | CUSTOM SESSION ATTRIBUTES ARE MISSING AFTER JULY BP |
36978601 | FORGOT PASSWORD LINK IN CHANGING THE LANGUAGE DOES NOT WORK FOR DUTCH |
36903429 | SOME CHANGE PASSWORD RULES ARE URL-ENCODED ON THE /OTPFP/INITCHANGEPSWD PAGE |
37032960 | OPTION TO HAVE ONE AUDIENCE DEFINED IN A JWT TOKEN IN 3-LEGGED |
36537244 | JAVA.LANG.EXCEPTIONININITIALIZERERROR ON CUSTOM CONSENT PAGE |
1.21.2 Resolved Issues in OAM Bundle Patch 12.2.1.4.241009
Table 1-2 Resolved Issues in OAM Bundle Patch 12.2.1.4.241009
Base Bug Number | Description of the Problem |
---|---|
36988215 | DCC TUNNELING NOT WORKING WITH14.1.2.0.0 WEBGATE |
22086890 | Fix for Bug 22086890 |
36698101 | SOAP ERROR AFTER APPLYING 36268742 WHEN ARTIFACT BINDING IS ENABLED |
36800770 | FORGOT PASSWORD FLOW FAILING DUE TO THE OLDER JACKSON DEPENDENCY |
36304146 | THREAD DUMPS FROM ORACLE.OAM.PROXY.OAM LOGGER |
36783960 | OAM - CHANGES TO SUPPORT 14C DCC WEBGATES |
36500395 | IDP DISCOVERY SERVICE "DISCOVERY.JSP" ADDING PREFIX "/OAMFED/" TO THE RETURN URL |
30674068 | UNABLE TO CHANGE OAUTH AUTHZ CODE EXPIRYTIME FROM THE HARDCODED 5 MINUTE VALUE |
35313268 | ENH - OPENID - NEW ID TOKEN TO BE PROVIDED WHEN USING THE REFRESH TOKEN |
26417358 | Fix for Bug 26417358 |
19988352 | Fix for Bug 19988352 |
34381899 | Fix for Bug 34381899 |
36975884 | PLUGINS TO FACILITATE MFA WITH OAA |
36789669 | OAM RESOURCE PASSWORDLESS FLOW FAILS WITH SYSTEM ERROR |
36734401 | CHIPS CONFIG DEPENDENCY ENHANCEMENT |
36666715 | PARTNER KEY UI OPTIMIZATION |
36248319 | OAM COOKIES BLOCKING IFRAMING FA PAGE IN VB |
36124197 | AUTOMATIC REUSE DETECTION OF OAUTH TOKENS |
16315022 | Fix for Bug 16315022 |
36805629 | OAUTH ACCESS TOKEN AUD CONTAINS AUTHORIZATION SERVER URL IN A
2-LEGGED FLOW
The following system property must be set to
false in
setDomainEnv.sh file to use this
feature
By
default the system property value is |
36739991 | WRONG ALGORITH DISPLAYED ON THE .WELL-KNOWN/OPENID-CONFIGURATION URL |
36724949 | OTP PASSWORD RESETS FAILS AFTER APPLYING APRIL 2024 CPU PATCHES |
36766496 | ORA-14300: PARTITIONING KEY MAPS TO A PARTITION OUTSIDE MAXIMUM PERMITTEDNUMBER |
36694433 | FAILEDCOUNTFIELD NOT UPDATED FOR OMA FLOW |
36268742 | OAM SOAP FAULT RESPONSES MISSING ENVELOPE |
1.21.3 Resolved Issues in OAM Bundle Patch 12.2.1.4.240701
Table 1-3 Resolved Issues in OAM Bundle Patch 12.2.1.4.240701
Base Bug Number | Description of the Problem |
---|---|
36714022 | ANDROID PUSH NOTIFICATION MFA : CHANGES IN GOOGLE FCM API FOR PUSH NOTIFICATION FLOW |
36534269 | AFTER JAN OR APR 20 IDM SPB 24 OAM MFA SMS PHONEMASKREGEX STOPS MASKING |
36416361 | ABLE TO AUTHENTICATE WITH OMA WHEN ACCOUNT IS LOCKED |
33471957 | ER: OAM 12.2.1.4 - REQUEST RS512 TOKEN SIGNING ALGORITHM FOR OAUTH |
36345002 | REVOKING OAUTH TOKEN BY MTLS CLIENT FAILS WITH "INVALID CLIENT CREDENTIALS" |
36502257 | INVALID INPUT USING COLON IN RESOURCESERVERNAMESPACEPREFIX FOR OAUTH SCOPES
Note: The following system property must be set to
|
36015259 | PUBLICCLIENTREFRESHTOKENENABLED & GRANTTYPEREFRESHTOKENENABLED VISIBLE IN CLAIM |
36103252 | CVE-2020-13956 |
36416071 | OAM 12CR4 - OTP AUTHENTICATION FAILS AFTER APPLYING JANUARY SPB PATCH 36179836 |
36495989 | OAUTH TOKEN INFO ENDPOINT IS NOT RFC COMPLIANT
Note: The following system property must be set to
|
36022806 | WITH ENABLEEXTRASAMLATTR SET TRUE , SESSION SHOULD SUPPORTS MORE THEN 40 STRING TYPE PROPERTIES |
36172877 | FEDERATION PROXY ENABLED FLOW : AUTHENTICATED FEDERATED USER SHOULD
BE PASSED TO USERIDENTIFICATIONPLUGIN
Note: The following system property must be set to
|
36565740 | 14.1.2:OAMCONSOLE ACCESS VIA OHS RETURNS OPERATION ERROR IN HA SETUP |
36268857 | IOS PUSH NOTIFICATIONS DO NOT WORK WITH THE JAN 24 BP RELEASE |
36293695 | UPDATE OAUTH CLIENT UPDATES CLIENT SECRET |
36410353 | OAM FAILS WHEN BROWSER SENDS 2 OAM_ID COOKIES |
1.21.4 Resolved Issues in OAM Bundle Patch 12.2.1.4.240328
Table 1-4 Resolved Issues in OAM Bundle Patch 12.2.1.4.240328
Base Bug Number | Description of the Problem |
---|---|
36413066 | LEVERAGE THE SESSION VALIDATE END-POINT TO REGENERATE OAM_RM TOKEN BASED ON A TAP TOKEN |
35299815 | REMOVE THE ABILITY TO CREATE/EDIT OAM SERVERS OR WEBGATE AGENTS IN SIMPLE MODE |
36282327 | WEBGATE AGENT REGISTRATION INSTALLS EXPIRING SIMPLE CERTIFICATES INTO THE AGENT ARTIFACTS |
36408603 | API KEY LIFECYCLE OPTIMISATION |
36424469 | API KEY UI OPTIMIZATION - UI BUG FIX |
36277851 | CVE-2019-0231 |
36408621 | API KEY UI OPTIMIZATION |
36277847 | OAM AUTHENTICATION API FOR OUA NEEDS TO RETURN PASSWORD POLICY RELATED CODES |
36377223 | ID_TOKEN SUPPORT WHILE CREATING DOMAIN |
36103295 | CVE-2022-24329 |
36362711 | DOMAIN RETRIEVAL FAILS AFTER ROLLBACK |
34906532 | INVALIDATE ACCESS TOKEN IF USERS PASSWORD IS UPDATED |
33806048 | ER - POSSIBILITY OF USING 2 CERTIFICATES AT THE SAME TIME IN FEDERATION |
35984683 | OAUTH CLIENT SECRET EXPIRATION AND ROTATION |
36336356 | NPE IS THROWN WHILE GENERATING access_token and id_token USING MULTIPLE FLOWS |
36252694 | CUSTOM CLAIMS NOT PRESENT IN ACCESS TOKEN FOR IMPLICIT GRANT_TYPE |
35194455 | ER - OPTION TO CUSTOMIZE THE ISSUER DISCOVERY IDENTIFIER AND ISS TOKEN CLAIM |
35662872 | LONGER VALABILITY FOR ID_TOKEN THAN ACCESS_TOKEN |
35188279 | MASK SAML RESPONSE ATTRIBUTES IN OAM LOG MESSAGE |
34911587 | CONSENT PAGE THROWS ERROR IF THE END USER DELAY TO APPROVE 5MIN |
34840243 | CHECK AUTHENTICATIONCONTEXT WHEN OAM IS ACTING AS SP |
36090820 | OBLOGINTRYCOUNT UPDATES INCONSISTENT FOR DEACTIVATED USER |
36129573 | MDC OAUTH CONSENT MANAGEMENT FAILS IF MASTER DC IS DOWN AFTER OCT
2023 PS4 BP
Note: In the MDC Clone set the following system property to
|
35946569 | OAUTH RESOURCE SERVER CREATION FAILS WITH SPECIAL CHAR IN ANY FIELD
Note: The following system property must be set to
|
36264952 | 1412 soa sso logout issue after integration with 1412 OHS/12214 OAM for SSO |
36029627 | OAM OAUTH: STATE PARAMETER IN CALLBACK URL GET ENCODED IN 12CR2
PS4
Note:
|
35854499 | OAM 14C ENT: OAM NEEDS TO SUPPORT MD5 HASHING FOR LEGACY WEBGATES |
21271197 | MULTIPLE ROWS FOR OAMS.OAM_OAM METRIC WHILE RETRIEVING AUTHENTICATION REQUESTS |
1.21.5 Resolved Issues in OAM Bundle Patch 12.2.1.4.240109
Table 1-5 Resolved Issues in OAM Bundle Patch 12.2.1.4.240109
Base Bug Number | Description of the Problem |
---|---|
35986960 | OAUTH 2.0 RUNTIME API ENDPOINTS SHOULD SUPPORT IDENTITYDOMAIN IN FORM PARAMETERS ALSO |
35790270 | OAM12C TIME SESSION |
35776509 | REST API NOT SHOWING CERTIFICATE EXPIRATION DATE FOR MANUALLY CONFIGURED PARTNER |
35974882 | OAUTH 2.0 AUTHORIZE 3L ENDPOINT INCORRECTLY RETURN IN QUERY MODE WHILE RESPONSE_MODE=FORM_POST IS REQUESTED IF "CONSENTEXPIRYTIMEINMINUTES" DOMAIN CUSTOM ATTRIBUTE IS SET |
35777407 | OIDC: SUPPORT OF "RESPONSE_MODE" NEEDED IN THE "AUTHORIZATION CODE GRANT FLOW" |
35820991 | EMAIL_VERIFIED CLAIM IS BOOLEAN BUT ID_TOKEN RETURN IT AS STRING |
35798094 | CVE-2023-3635 |
35798089 | CVE-2021-0341 |
35823067 | SCOPE NAME WITH : WORKS WITH POST TO ADD BUT NOT WITH PUT / UPDATE |
35840877 | OTP NOT WORKING FOR NEW USERS POST PATCHING WITH ER 34394159 |
35952776 | NULL CHECKS NEED TO BE ADDED FOR PROGRAMMATIC AUTHN REST INTERFACES |
35437597 | OAM 12CPS4 - WITH ER 35186662 ID_TOKEN VALUE IN HEADER/COOKIE RESPONSES IS NOT BASE64 ENCODED |
35943082 | PROVIDE REST INTERFACES FOR PROGRAMMATIC AUTHN LEVERAGING OAM RM TOKEN |
31471722 | [ER] NEED REFRESH TOKEN RESPONSE WHEN MAKING A GRANT_TYPE=REFRESH_TOKEN OAUTH |
35650808 | IS REFRESH TOKEN RETURNED IN WHEN USING MOBILE_CLIENT AS A CLIENT TYPE |
35786620 | HANDLING OF SYSTEM ERRORS UNDER DIFFERENT MFA FLOW ERRORS FROM OAA TO OAM |
35745907 | PIPELINE DELIMITER BREAKS FEDERATION |
35896603 | USERS ENCOUNTERS RUNTIME ISSUES AT MFA |
35854158 | Fix for Bug 35854158 |
34394159 | OAM 12C - NEED AN OPTION TO LIMIT THE NUMBER OF TOTP GENERATED |
1.21.6 Resolved Issues in OAM Bundle Patch 12.2.1.4.231005
Table 1-6 Resolved Issues in OAM Bundle Patch 12.2.1.4.231005
Base Bug Number | Description of the Problem |
---|---|
34162278 | IMPLICIT GRANT FLOW OIDC USERSCOPE DATA TO BE MADE AVAILABLE THROUGH PAYLOAD |
35480610 | GETSESSIONINFORESPONSE BREAKS IN CLUSTER ENV, IF IDSTOREREF IS EMPTY |
35327681 | DIAG: NEED TO LOG BELOW ERROR AT WARNING LEVEL |
35315633 | SERVICE MANAGER APPLY API TIME IMPROVEMENT TO APPLY CHANGES IMMEDIATELY AND THREAD SAFE |
35605163 | OAM 12C - TYPO IN OIDC PLUGIN: OUATH_CLIENT_SECRET INSTEAD OF OAUTH_CLIENT_SECRET |
35591710 | INVALID HINT IN APPLICATION SQL OR INVALID INDEX NAME ON AM_SESSION RELATED INDICES |
35250383 | MISSING BROWSER TYPE INFORMATION INTO AUDIT DATABASE TABLE OAM 12C ENV |
35504810 | OAUTH: SESSION_ID CLAIM FROM JWT TOKEN NOT MATCHING SESSION_ID FROM OAM SERVER |
35692992 | OAA PLUGIN ATTR VALUE SEND TO OAA TO BE USED AS EXTERNAL_ID IS NOT CONFIGURABLE |
35386271 | OOTB CERTIFICATE STILL VISIBLE AFTER CONFIGURING 3RD PARTY KEY PAIR |
35269389 | TOKEN VALIDATION: PASSING ACCESS_TOKEN AS A HEADER INSTEAD OF QUERY PARAMETER |
28461556 | X-OAUTH-IDENTITY-DOMAIN-NAME AS QUERYPARAMETER TO OAM12C ACCESS TOKEN END POINT |
35552946 | OPENIDCONNECTPLUGIN : OAUTHTOKEN NOT GENERATING AND NOT SETTING
KEY_USERNAME
Note: In the Custom OIDC Authentication Module , make suredonotpassclientid=true is set in
the additional attributes of openidconnectPlugin .
|
35470456 | LOGOUT USING CUSTOM PAGE FAILED W/ MALFORMED URL W/ RETURNURLVALIDATIONENABLED |
35327246 | OAUTH SSO LINKING : ACCESS TOKEN IS VALIDATED AFTER SESSION TIMEOUT |
35217506 | CVE-2021-37136 |
35509441 | OIDC PLUGIN NOT SETTING KEY_USERNAME |
35208828 | ENH - NEED THE SOLUTION FROM BUG 30267123 FOR SERVERREQUESTCACHETYPE=COOKIE |
35515193 | COULD NOT GET THE DECRYPTING SYMMETRIC KEY, GOT PRIVATE KEY
INSTEAD
Note: For this fix set the following parameter:-Doracle.oam.fed.isAdviceIgnoreEnabled=true |
34820203 | PASSWORD CHANGE PAGE ISSUE FOR SPECIAL CHARACTERS RESTRICTION |
35371374 | POLICY CACHE AUDIT EVENTS SHOULD DISPLAY POLICY DETAILS |
34760767 | ACCESS TOKEN GENERATED WITHOUT A CONSENT |
34868608 | COMMON CRITERIA - NULL CIPHER DURING TLS HANDSHAKE CAUSES CPU TO SPIN |
32406872 | PKCE : OAM DOES NOT VALIDATE THE CODE GENERATED WITHOUT PADDING |
35724621 | OAA AND OAM INTEGRATION AND INSTALLATION AND ACCESS OF OAAADMIN-UI AND SPUI ACCESS INCONSISTENCIES |
1.21.7 Resolved Issues in OAM Bundle Patch 12.2.1.4.230628
Table 1-7 Resolved Issues in OAM Bundle Patch 12.2.1.4.230628
Base Bug Number | Description of the Problem |
---|---|
35194283 | SAML:AUDIENCE AS MULTI-VALUE AND NOT AS LIST |
34634700 | IDP DISCOVERY SERVICE FAILS WITH 'INVALID OR NULL RESPONSE
URL'
Note: For this fix set the following parameter:-Doam.federationProxyEnabled=false |
35198097 | AFTER APPLY DEC-2022 OAM BP SUITE THE MDC APS BLOCKED |
34556443 | JBO-25006: INDEX OUT OF RANGE WITH A LARGE NUMBER OF ENCRYPTION KEYS IN ADMIN C |
34018795 | FUNCTIONALITY TO ALLOW CACHE CONTROLLED BY REQUEST URL |
35205538 | PASSWORD CHANGE PAGE NOT RENDERING PROPERLY IF NEW PASSWORD DOES NOT MEET SPECIAL CHARCTER RULE |
35205593 | PASSWORD RULES ARE MISSING IN CHANGE PASSWORD PAGE |
27918612 | SAML ATTRIBUTE VALUE IS NULL WHEN ONE OF THE USER ATTRIBUTE VALUE IS NULL IN COM |
32804378 | OAM / OAUTH IMPERSONATION & DELEGATION SUPPORT (RFC8693) |
35131903 | OAUTH TOKEN ONLY CONTAINS 'GRANT' CLAIM FOR AUTHZ CODE GRANT
TYPE
Note: enableDisplayGrantType custom attribute must be set to true in the
OAuth identity domain to enable the grant type in the access token. By default it is
set to false.
|
35112063 | SP ATTRIBUTE PROFILE MAPPING : USER ATTRIBUTE CASING ISSUES |
35080285 | "JDBCLOCATEEXCEPTION: FAILED TO LOCATE USER" AFTER UPGRADING TO 12.2.1.4 |
35186662 | OPENIDCONNECTPLUGIN PLUGIN SHOULD SET TOKENS AS SESSION RESPONSES |
34911015 | UNABLE TO RETRIEVE THE OAUTH SECRETKEY USING THE REST APIS |
34092777 | CVE-2020-36518 |
1.21.8 Resolved Issues in OAM Bundle Patch 12.2.1.4.230317
Table 1-8 Resolved Issues in OAM Bundle Patch 12.2.1.4.230317
Base Bug Number | Description of the Problem |
---|---|
35012645 | Fix for Bug 35012645 |
34866912 | NULL POINTER EXCEPTION AFTER USING 34085191 WITH BP12 |
34979560 | USERID WITH SPECIAL CHARACTER }) COMBINATION FAILED TO AUTHENTICATE
TO OID
Note: The following Java parameter must be set to By default this property is set to |
35058183 | OAM 12C - OAUTH CERTIFICATE IS USING KEY_OPS=SIGN INSTEAD OF KEY_OPS=VERIFY |
35117017 | Fix for Bug 35117017 |
35119994 | USERAUTHENTICATIONPLUGIN NULLPOINTEREXCEPTION PASSWORD GRANT FLOW PATCH 34791593 |
35066999 | X5T AND X5T#S256 DIGESTS FOR /OAUTH2/REST/SECURITY ARE NOT RFC COMPLIANT
Note:
|
35008348 | Fix for Bug 35008348 |
34616152 | OOTB JPS-CONFIG.XML HAS SYNTAX ERROR |
32598824 | OAM 12CPS3: LOGIN TO PROTECTED RESOURCE AFTER GLOBAL SESSION IDLE TIME OUT USING DIFFERENT USER ACCOUNT DETAILS IS NOT ALLOWED |
34831878 | ARTIFACTS ARE NOT PUSHED TO DB WHEN ADMIN SEVER IS STARTED FIRST TIME WITH 12CPS4 |
34987409 | OAUTH REST-API DOES NOT LIST GRANTTYPES WITH ACCEPT: APPLICATION/JSON |
35008310 | Fix for Bug 35008310 |
34994891 | USER HAS ALREADY EXISTING SESSION WITH SESSIONID AFTER TIMEOUT |
34791593 | PLUGIN EXECUTION FAILS WHEN INITIAL_COMMAND=NONE IS USED DURING
STEP-UP
Note: You should add the parameterplugin_stepup_flow=ON along with
INITIAL_COMMAND=NONE to the authentication scheme parameter
section. The OAM plugin then checks whether the OAM_ID cookie is
present and the user has been authenticated. If present, the flow checks whether it
matches the authenticated user and then the plugin returns success.
|
34727970 | /OAUTH2/REST/TOKEN/INFO ENDPOINT RESPONSE DO NOT COMPLY JSON FORMAT
FILE
Note: The following Java parameter must be set to By default it is set to |
34718515 | PASSWORD CHANGE PAGE ISSUE FOR OAM SSL AND SPECIAL CHARACTERS RESTRICTION |
34881208 | END USER/SOURCE SYSTEM IP NOT PRESENT IN FED AUDIT LOGS |
34676152 | OAM_REMOTE_USER HEADER IS GETTING SET TO USER CN INSTEAD OF UID |
1.21.9 Resolved Issues in OAM Bundle Patch 12.2.1.4.221208
Table 1-9 Resolved Issues in OAM Bundle Patch 12.2.1.4.221208
Base Bug Number | Description of the Problem |
---|---|
34847202 | Fix for Bug 34847202 |
34734586 | Fix for Bug 34734586 |
34765801 | DIAG: "REQUIRE TO APPLY LIBOVD PATCH#33368783" MESSAGE EVEN THOUGH PATCH IS APPLIED |
33327287 | SIMPLE MODE GLOBAL PASSPHRASE UPDATE DOES NOT PUSH NEWLY GENERATED ARTIFACTS TO DB |
34350022 | APP DOMAIN TIME OUT NOT WORKING FOR ADAPTIVEAUTHNSCHEME |
34670445 | CUSTOMIZE LOGOUT PAGE ON MDC FEDERATED PROXY ENVIRONMENT |
34728321 | 12.2.1.4 OCT 2022 BP BREAKS FEDERATED LOGINS WHEN SHA-256 IS USED |
34756122 | HIGH CPU IN PRODUCTION OAM SERVER WHEN USERNAME IS EMPTY IN USERIDENTIFICAIONPLUGIN |
34282474 | RELOGIN DOES NOT REDIRECT TO SUCCESS URL AFTER LOGOUT |
34550841 | LOGOUT ADDS A QUESTION MARK CHARACTER TO THE LOGOUT TARGET URL |
34639003 | FED IDP FAILS WHEN LOADING /OAMFED/POSTPROFILE.JSP |
34461263 | OAM SESSION SUPPORTS ONLY 10 ENCODED SUBJECT STRING TYPE PROPERTIES |
34451944 | OAUTH AUTHZ FAILS IF WNA FALLBACK FORM IS ENABLED AND STATE PARAM IS VERY LONG |
34483288 | WHILE USING OAUTH ENDPOINT THE REDIRECT URL IS ENCODED TWICE
Note: The following Java parameter must be set insetDomainEnv.sh to enable this feature:
|
34530517 | UNABLE TO RESET PASSWORD OR CONTINUE AFTER PASSWORD WITHIN WARNING PERIOD |
34636811 | OAM JIT : DISPLAYS THE CONTENT OF HTML FILE USED IN AUTHENTICATION SCHEME IN USER AUTO-PROVISIONING WITH PASSWORD PROMPT FLOW |
34501342 | OAUTH CUSTOM CLAIMS PLUGIN SUPPORT FOR 'REFRESH_TOKEN' GRANT_TYPE |
34456006 | OAM_RES STILL APPEARS WHEN AUTHZCALLBACKENABLED IS SET TO FALSE |
34298417 | OAUTH :VALIDATE TOKEN API : CONSENT CREATION TIME IS AFTER LDAP
RESPONSE READ TIMED OUT
Note:
|
1.21.10 Resolved Issues in OAM Bundle Patch 12.2.1.4.220906
Table 1-10 Resolved Issues in OAM Bundle Patch 12.2.1.4.220906
Base Bug Number | Description of the Problem |
---|---|
34411580 | LDAP ATTRIBUTE NOT CAPTURED IN COOKIE USING PREFETCH |
34085191 | SETSPPARTNERDEFAULTSCHEME() FAILS FOR NEW AUTHN SCHEMES IF POLICY MGR IS UP |
34461370 | Fix for Bug 34461370 |
34020728 | OAM 12CPS4: /OAUTH2/REST/USERINFO RETRIEVING 400 RESPONSE CODE IF AUTHZ CODE GENERATED WITH CUSTOM AND OPENID SCOPES |
32960094 | SUPPORT FOR CUSTOM ATTRIBUTES IN SAML RESPONSE
Note: The following system property must be set insetDomainEnv.sh to enable this feature:
|
34373383 | Fix for Bug 34373383 |
34469057 | JSON FORMAT WHILE LISTING ALL THE IDENTITY DOMAINS |
34359848 | OAM AS IDP FAILS WITH SSO SESSION IS NULL OR INVALID |
34353017 | OAM 12C SYSTEM ERROR AFTER 15 MINS(DEFAULT REQ TIMEOUT) PASSED ON LOGIN PAGE |
34467460 | OAUTH FLOW BREAKS WHEN REDIRECT URL CONTAINS "?" |
31916721 | OAUTH :12CPS4 : CLIENT SECRET: NOT ABLE TO VIEW \ RETRIEVE |
34247621 | GREEK LETTERS IN IN GROUP NAME BREAK OAM - ADAPTIVE AUTHENTICATION RULE |
33629727 | AUTHENTICATION MODULES MISSING ON CLONE |
34223066 | OAM SERVER: MDC : COUPLE OF ERRORS ARE FLOODING THE LOGS |
34403516 | OAM DOES NOT THROW INVALIDMETADATAFILEEXCEPTION WHEN KEYINFO CORRUPTED IN PARTNER METADATA |
34241746 | APP DOMAIN LAST ACCESS TIME NOT UPDATING RESULTING IN UNEXPECTED IDLE TIMEOUTS |
34234548 | OAM_LOGOUT_CALLBACK_URLS NOT GETTING INVOKED WITH 12CPS4 DCC WEBGATES UNLIKE 11G WEBGATES |
34187283 | MULTIVALUEGROUPS DOES NOT WORK PROPERLY WHEN FEDERATION IS ACTING AS
PROXY
For federation proxy use cases, if a multi-valued attribute
returned by an Identity Provider (IdP) needs to be sent back to the Service Provider
(SP) as a multi-valued attribute, the following configuration must be done from the
OAM console.
|
34238089 | OAM REST API EXPECTING AUTHORIZATION HEADER ON PREFLIGHT OPTIONS CALL |
34060169 | ORA-01878 CAUSING PARTITIONS COUNT TO INCREASE IN 100S IN PROD |
34049361 | NEED 28228295 TO COVER 'CLIENT_CREDENTIALS' GRANT_TYPE |
34149570 | FAILONCONSENTSTOREERROR : NOT WORKING FROM BP 06 ONWARD |
34142447 | STORAGE NOT CONFIGURED ERROR MESSAGE IN DETAILED SESSION SEARCH OAM 12C |
34020168 | GETTING XMLSTREAMEXCEPTION IN OAM STARTUP LOG AFTER DEPLOYING CUSTOM WAR |
32927966 | OAM SP DOES NOT KNOW SIGNATURE ALGORITHM SHA256-RSA-MGF1 IN SAML
RESPONSE
Note: This bug is dependent on OWSM patch 34839859. |
1.21.11 Resolved Issues in OAM Bundle Patch 12.2.1.4.220623
Table 1-11 Resolved Issues in OAM Bundle Patch 12.2.1.4.220623
Base Bug Number | Description of the Problem |
---|---|
33843455 | OAM 12.2.1.4 - OAUTH CLIENT APP FAILS WITH ERROR - STATE STRING NOT VALID |
33822933 | 12CPS3 : PROFILE EMAIL CLAIM ATTRIBUTE MAPPING |
33752393 | OAMREAUTHENTICATE IS PASSING ON URLS IN QUERY STRING IN DECODED
FORMAT
Note: You can enable the fix by adding the following Java parameter insetDomainEnv.sh :
-Doracle.oam.proxy.queryStringDecoding=false. |
34031691 | PASSWORD RULES NOT DISPLAYED IN FR_CA |
33901539 | SYSTEM ERROR WHEN CUSTOMER TESTING SSO WITH CORNERSTONE IDP |
27050584 | HOW TO MAKE IDP DN MAPPINGS CASE INSENSITIVE WITH 11.1.2.3 FEDERATION |
33735897 | USERPRICIPALNAME IS EXTRACTED WITH SPECIAL CHARACTERS FOR SOME USERS WHILE USING THE X509 AUTHENTICATION |
33837000 | CONFIGUREPOLICYRESPONSES DOES NOT WORK AS EXPECTED
Note: You can use this feature by adding the following Java property insetDomainEnv.sh :
-Doam.fed.attr.isReplaceBackslashComma=true |
34088890 | MFA OTP AUDIT |
1.21.12 Resolved Issues in OAM Bundle Patch 12.2.1.4.220404
Table 1-12 Resolved Issues in OAM Bundle Patch 12.2.1.4.220404
Base Bug Number | Description of the Problem |
---|---|
33856331 | PASSWORD RULES NOT DISPLAYED IN FRENCH |
33814292 | REMOVING UNUSED LOGGING DEPENDENCIES |
33409018 | NEED HINTS FOR 2 OAM SQLS USED FOR DB SME SO AS TO USE CORRECT INDEXES |
33417041 | OAM/SERVICES/REST/ACCESS/API/V1/AUDIT/EVENTS 500 ERROR |
32910834 | 12CPS5 RUP: FILE NOT FOUND EXCEPTIONS IN EXPORT_OFFLINE_OIM AND IMPORT_OFFLINE_OIM |
32587773 | Fix for Bug 32587773 |
33724245 | TO SUPPORT THE ALLOW LIST FEATURE IN ORDER TO ENABLE EMBEDDING IN A FUSION APP IFRAME |
33841128 | MAKE OAA PLUGIN AN OOTB PLUGIN |
33913030 | USE SYSTEM->GETPROPERTY TO READ SYSTEM PROPERTY OAM.T2P.ENABLETOPOLOGYUPDATE |
33663608 | USERINFO ENDPOINT : RETURSN VALUES FOR REVOKED ACCESS TOKEN |
33645782 | OAM12C: UNABLE TO MODIFY AUTHN SCHEME WITH CHALLENGE MECHANISM OAM10G USING CURL |
33478014 | ERRORS/WARNINGS SEEN ON STARTING SERVERS AFTER OAM 12C |
33291908 | MAKE THE OAM_ID COOKIE DOMAIN-SCOPED, INSTEAD OF HOST SCOPED
The
following configuration properties are introduced in oam-config.xml:
To set the domain for
OAM_ID cookie perform the
following steps:
|
33021500 | ASDK FAILS TO CONNECT TO RUNNING OAM SERVER |
33466152 | JAVA.LANG.CLASSNOTFOUNDEXCEPTION AFTER OAM UPGRADE: KM 2806412.1
If the configured SME store is not DB then add the following Java
property in the
|
33556093 | AFTER APPLYING FIX FOR BUG 30771422 STILL WARNING ENTRIES ARE
SPAMMING THE LOGS
If you are using advanced authentication rules
containing requestMap[Cookie] then add the following system property in the
|
33604330 | ERRORS WHEN LOADING IPFWARNINGMSG.JSP & IPFPSWDCHANGEREQUEST.JSP |
33630956 | ENTEROTP.JSP USED IN PASSWORD FLOW DOES NOT HANDLE FRENCH LOCALE |
33690341 | INVALID INPUT WITH SPECIAL CHAR ON CLIENT_ID & CLIENT NAME
You can use this feature by adding the following Java property in
|
33654883 | OAM 12CP4:IN AUTHORIZATION POLICIES SESSION CUSTOME OR DYNAMIC ATTRIBUTES CONFIGURED FOR HEADER/COOKIES NOT RETRIEVED IN RESPONSE |
33585810 | UNSOLICITED LOGIN FAILS WITH OCT CPU PATCH USING CUSTOM PLUGIN. |
33560440 | PERFORMANCE ISSUE RELATED AM_SESSION TABLE DESPITE ENH 29337161 APPLY |
33521038 | OAM 12CPS4 BP8 EMAIL CLAIMS SCOPE IS MISSING IN THE ID TOKEN |
33604911 | NULLPOINTEREXCEPTION ON REST QUERY ON ../TRUSTEDPARTNERS/SP ENDPOINT |
33554950 | OCTOBER 2021 CPU PATCH BREAKS FEDERATION LOGIN
If OAM
is used as a federation proxy, add below System property in
|
33527784 | OIDC + WEBGATE APPS FAILING IN CLONE DC\S AFTER UPGRADE TO 12.2.1.4
Note: This is relevant only when different user identity stores are used for the OAuth identity domain and Authentication Policy for the OAuth consent resource. The following system property must be set insetDomainEnv.sh to enable this fix:
|
33392806 | FEDERATION: ATTRIBUTES CONFIGURED IN SP MAPPING PROFILE EMPTY IN SAMLRESPONSE |
1.21.13 Resolved Issues in OAM Bundle Patch 12.2.1.4.220113
Table 1-13 Resolved Issues in OAM Bundle Patch 12.2.1.4.220113
Base Bug Number | Description of the Problem |
---|---|
33533200 | AUTHZ CALL FAILS WHEN RDN HAS SPECIAL CHARACTER
Note: This bug is dependent on libovd patch 33638694. |
33518405 | Fix for Bug 33518405 |
33474333 | MDC: FAILURE TO GET ACCESS TOKEN FROM AUTHZ CODE IN LOCAL DC
Note: This is relevant only when different user identity stores are used for the OAuth identity domain and Authentication Policy for the OAuth consent resource. The following system property must be set insetDomainEnv.sh to enable this fix:
|
33368662 | HTTPTOKENEXTRACTOR PLUGIN DOES NOT PUT HEADER NAME IN THE CREDENTIAL
PARAMETER
Note: Headers must be comma separated if more than one header is configured inKEY_HEADER_PROPERTY for HTTPTOKENEXTRACTOR
plugin in the authentication module.
|
32923468 | MDC: ADAPTIVE AUTHENTICATION MODULE |
33389214 | INVOKING THE OAM SESSION REST API GET BAD REQUEST ERROR. |
33358965 | CHANGE PASSWORD RULES APPEAR TO BE URL ENCODED ON THE /OTPFP/USERSELECT PAGE |
33391677 | FEDERATED USER HAVING \ IS SENDING \5C\ TO LIBOVD WITH FILTERESCAPE
VALUE TRUE
Note: This bug is dependent on libovd patch 33638694. |
33142450 | USER STILL RETURNED TO THE URL EVEN WITH RETURNURLVALIDATIONENABLED |
33069979 | TAP INTEGRATION BETWEEN 12CPS4 OAM AND 11GR2PS3 OAAM IS NOT
WORKING
Note: The following Java parameter must be set to By default, it is |
33242499 | STRESS:FA:ATK:FMW12C: LOGON STORM TEST IS FAILING WITH 500 CLIENTS |
33275487 | STRESS:FA:ATK:FMW12C: CONCURRENTMODIFICATIONEXCEPTION SEEN IN OAM LOGS WHEN DIAGNOSTIC LOGGING ENABLED |
33109073 | OAMREAUTHENTICATE WORKS ONLY FIRST TIME |
1.21.14 Resolved Issues in OAM Bundle Patch 12.2.1.4.210920
Table 1-14 Resolved Issues in OAM Bundle Patch 12.2.1.4.210920
Base Bug Number | Description of the Problem |
---|---|
33192650 | "SYSTEM ERROR" ON THE CLONE DATA CENTER WITH OAM 12.2.1.4.210408 (BP06) |
33214625 | REDIRECT URI VALIDATION DOESN'T SUPPORT QUERY PARAMS, FRAGMENTS, ETC |
33273701 | CREATE CLIENT ARTIFACT ENDPOINT DOESN'T SUPPORT THE MEDIA TYPES MENTIONED IN REST DOCUMENTATION |
33273732 | NO GET API ON CLIENT/TRUST ARTIFACTS (ONLY POST OR DELETE AVAILABLE) |
33273741 | ISSUES WITH DISCOVERY END-POINT |
33273750 | TOKEN INTROSPECTION ENDPOINT DOESN'T CONFORM TO SPECIFICATIONS |
32958613 | JWT TOKEN CONTAINE GROUP IN INCORRECT FORMAT |
33273674 | MUTUAL TLS FOR OAUTH CLIENT AUTHENTICATION |
33273579 | CLI AND REST COMMANDS TO EASE SFA TOTP SETUP IN OAM |
31517286 | Fix for Bug 31517286 |
32102796 | ALLOW SENDING ADDITIONAL CUSTOM CLAIMS INSIDE OIDC ID TOKEN WHEN OAM IS IDP |
32201831 | ABILITY TO PULL EMAIL VERIFIED CLAIM IN ID TOKEN FROM LDAP |
30045443 | OAM OAUTH: FEATURE TO GENERATE OAUTH TOKEN WITH TPC |
33098826 | UNSOLICITED LOGIN FLOW BREAKS WITH PASSWORD POLICY WITH SFA FLOW |
33055065 | FEDERATION NOT WORKING AFTER ACCESSING OAM PROTECTED PAGE |
31431111 | ON THE LOGOUT CONSENT PAGE, WORDING SHOW "SIGN IN" INSTEAD OF "SIGN OUT" |
32761540 | STRESS:FA:ATK:FTS ON AM_AUDIT_RECORD FROM SQL 8RWNP1YMTMWWB |
33117541 | NON-PROXY HOST EXCEPTIONS DO NOT WORK |
33139217 | OAM_ADMIN FAILS TO START AFTER APPLYING 12.2.1.4 APRIL/JULY 2021 BP |
32920684 | IMPORTPOLICYDELTA FAILS TO IMPORT ADVANCED AUTHENTICATION RULES |
33084122 | 12C 21.07 EVNI: "ACCESS SERVER HAS RETURNED A FATAL ERROR WITH NO DETAILED INFORMATION" ERRORS IN OHS LOGS (WEBGATE) |
33074398 | ISSUE WITH APNS PATCH 32625905: SOUND MISSING |
33010382 | SPECIAL CHAR ON PASSWORD FIXED IN 29771448 & 31555915 NO LONGER WORK AFTER BP06 |
32807465 | DELETING IDENTITY PROVIDER CANNOT REPLICATE TO CLONE SERVER FROM MASTER |
32704611 | NOT ABLE TO CREATE OAUTH CLIENT IF ATTRIBUTE VALUE CONTAINS BACKSLASH
Note: To enable the backslash ( The default value is |
32909931 | OAM NOT SETTING AUTHN RESPONSE HEADERS AFTER APPLY 12.2.1.4.210408 |
32543656 | OAM 11G (SP) SHOULD END THE LOCAL SESSION WHEN RECEIVING SOAP LOGOUT REQUEST |
32482754 | INCREASE OAUTH ACCESS TOKEN MAXIMUM SIZE TO MORE THAN 5000 CHARACTERS |
32879893 | INTERMITTENT ERRORS IN OAM CONSOLE PREVENT VIEWING & UPDATING POLICY OBJECTS |
32976735 | EBS APPSLOGIN FAILS WHEN USING OAM WITH OUD AS BACKEND LDAP ON AIX WITH TLS 1.2 ONLY |
32568653 | 12 VERSION : ACCESSSERVERCONFIGPROXY PORT CHANGING 5576 TO 5575
RESTARTADMIN
Note: To trigger the topology update, set the following system property insetDomainEnv.sh :
-Doam.t2p.enableTopologyUpdate=true |
32953208 | OAM OPENID CONNECT LOGOUT DOES NOT FORWARD STATE PARAMETER TO POST_LOGOUT_REDIRE |
32933119 | API /OAUTH2/REST/SECURITY DO NOT WORKING ERROR 406 |
27582324 | POST DATA RESTORATION FAILS WHEN OBRAR.CGI USES GET METHOD TO RETRIEVE DATA. |
31843528 | ASSERTION HAS AN ADVICE ELEMENT THAT CONTAINS AN ENCRYPTED FIELD THAT FAILS OAM |
32828842 | OIDC-PIREAN INTEGRATION - NOT A VALID JWT TOKEN |
32826737 | TEST CONNECTION FOR LDAP IN OAM CONSOLE FAILS FOR TLS 1.2 ON IBM AIX
Note: In IBM AIX OS 7.1 or 7.2 having OAM and OID set on TLSv1.2, ensure that you set the following OAM system property insetDomainEnv.sh :
|
32734517 | NOT ABLE TO UPDATE THE AUTHNSCHEMELEVEL FROM 5 TO 2 FOR X509 USING CURL |
31859438 | 12C :OAUTH CLIENT : UPDATE : REDIRECT URI : SUPPORT FOR HTTP PATCH REQUEST |
32655233 | LIBOVD 12C SPECIAL CHARACTER IN USERNAME FAILS TO LOCATE USER IN
LDAP
Note: This bug is dependent on libovd patch 32305678. |
32701831 | REDIRECT LOOP USING INITIAL_COMMAND=NONE AFTER APPLICATION DOMAIN IDLE TIMEOUT |
32501273 | REMOTE IP NOT APPEAR INTO AUDIT DATABASE FOR OAUTH AUTHORIZATION |
32653281 | "FAILED TO INIT CONTEXT PATH:/IDAAS/AM/ESSO" ERROR IN ADMIN SERVER STARTUP LOGS |
32561825 | AUTHMON - OAM AUTHMON (OAM-MON.SH) - NEED TO IMPLEMENT LOGOUT SO
SESSIONS DO NOT BUILD UP.
Note: In 12c PS4, OAM tester does not work in offline mode and is not supported through UI.For command line support, update the OAM tester input xml, for
example:
|
32650194 | FIX FOR BUG 32487114 IS NOT WORKING IN OAM REL13 PATCH 32628242 |
27584970 | CAPACITY CONSTRAINT IN WEBLOGIC-APPLICATION.XML CAUSING PERFORMANCE IMPACT |
1.21.15 Resolved Issues in OAM Bundle Patch 12.2.1.4.210607
Table 1-15 Resolved Issues in OAM Bundle Patch 12.2.1.4.210607
Base Bug Number | Description of the Problem |
---|---|
32682922 | SUCCESSFUL FEDERATION REDIRECTS TO RETURNURL EVEN THOUGH IT IS NOT WHITELISTED |
31560646 | FEDSTS ERRORS IN OAM LOGS |
32680956 | OAM OAUTH 12C NEED OUTPUT IN JSON FORMAT WHEN USING REST
API
For example:
|
32625905 | SUPPORT FOR HTTP/2 APPLE PUSH NOTIFICATION SERVER (APNS)
Apple Push Notification Server (APNS) does not support the legacy binary
protocol from March 31, 2021. The new server
( This bug fix provides support for HTTP/2 protocol when using APNS. This feature is not enabled by default. To use HTTP/2 APNS perform the
following steps:
|
32519715 | USER FROM EXISTING SESSION IS DIFFERENT FROM USER LOCALLY AUTHENTICATED |
32743560 | OAM 12CP4 : FIX 32632139 IS FAILING OVER OAMSERVERCOMMUNICATIONMODE = HTTP |
31629661 | ASDK FAILS TO CONNECT TO RUNNING OAM SERVER. |
32407903 | "EXCEPTION IN DECRYPTION" ERROR DURING UNSOLICITED LOGIN AND LOGOUT VIA DCC WG |
32376345 | NEED ALTERNATE SOLUTION FOR 31186283 TO REDUCE EXTRA CALL TO OAM ENDPOINT |
32198119 | INVALID SESSION CONTROL PARAMETERS ERROR WHEN UPDATING GITO COOKIE DOMAIN |
32291876 | WEBGATE PROFILE GET CORRUPTED IF ADD PRIMARY/SECONDARY SERVER WITH INDEX = 2 USING WEBGATE TEMPLATE. |
30116357 | DCC WEBGATE WITH UNSOLICITED POST AUTHN FAILS AFTER APPLYING 02/19 PATCH |
1.21.16 Resolved Issues in OAM Bundle Patch 12.2.1.4.210408
Table 1-16 Resolved Issues in OAM Bundle Patch 12.2.1.4.210408
Base Bug Number | Description of the Problem |
---|---|
29244150 | SSO BETWEEN TUNNELED DCC AND PLAIN DCC IS BROKEN WHEN APPLIED OAM BP'S 14,15 OR 16 |
27441865 | CLIENTSSLKEYSTOREPWD, CLIENTSSLTRUSTSTOREPWD NOT PROPERLY WRITTEN IN OAM-CONFIG |
28728420 | OAM-OIM FIRSTLOGIN PAGE IS BLANK, BACKURL CONTAIN HOST IDENTIFIER |
32612533 | OAM 12CPS4 SSO BETWEEN FED SP1 AND SP2 PARTNER PROTECTED RESOURCE IS FAILING WITH APRIL BP 32525944 |
32153972 | SIGNATURE VALIDATION FAILED OPENIDCONNECTPLUGIN CONFIGURATION |
32392692 | ORACLE CLOUD MCS_LOGIN_324.PNG NOT BEING USED AND APPEARS IN LOGIN PAGES |
32632139 | OAM 12CPS3 FIX FOR BUG 32055280 IS FAILING |
32433361 | ASDK INITIALIZATION FAILING |
32477536 | ASDK FAILED TO INITIALIZE IF COMPATIBILITYMODE IS OAM_12C |
18957556 | NOT GETTING P_ERROR_CODE=OAM-3 IN DIAGNOSTIC LOGS WHEN OID IS DOWN |
29725629 | Fix for Bug 29725629 |
31386392 | NOTSTRESS:FA:ATK:ORACLE.OAM.BINDING ERRORS IN IDM WLS_OAM1 LOGS |
27962394 | USER WAS APPENDED WITH POD NAME |
31994408 | OAM LOGIN PAGES CHANGES TO ADAPT TO REDWOOD UI STYLE |
30155115 | OIFAUTOMATION.PL ENABLEOIF FAILURE - WRONG DB SCHEMA PASSWORD USAGE |
31430985 | IN THE INITIAL SIGN ON PAGE, THE TEXTBOX "USER ID" AND "PASSWORD" FIELD DOES NOT HAVE A LABEL |
32430636 | 12C: 500 INTERNAL SERVER ERROR IN FAHOME PAGE |
32394988 | FOREGROUND AND BACKGROUND COLOURS DOES'T MEETS WCAG 2 AA CONTRAST RATIO THRESHOLDS |
32487114 | WCAG 2.0-2.4.1: PAGE MUST HAVE MEANS TO BYPASS REPEATED BLOCKS. |
32451171 | KM AUTOMATION : ADD AUTOMATION SCRIPT FOR CONFIG CHANGES IN BUG# 32380923 |
27481308 | ER: OAM OAUTH PKCE (RFC 7636) SUPPORT |
32507312 | ISSUE ACCESSING /OAMFED/USER/SLOOAM11G?ID=OAM11G&TYPE=3 |
29337161 | 12C UPDATES THE AM_SESSION TABLE IN THE DB FOR EVERY AUTHZ REQUEST |
29951446 | OAUTH SERVICE : TERMINATE TOKENS API NOT AVAILABLE |
32380255 | IOS PUSH NOTIFICATIONS PORTS 2195 AND 2196 ARE DEPRECATED FROM MARCH |
32250953 | INTERMITTENT LOGIN ISSUE WITH INTERNAL OAM ADC ENVIRONMENT |
32428227 | OAM_ADMIN DEPLOYMENT HAS FAILED |
32134602 | CONTINUATION OF BUG 31402491, USER FROM EXISTING SESSION IS DIFFERENT FROM USER |
32340416 | OAUTH REST API DELETE IDENTITY DOMAIN RETURNS SUCCESS WHEN INVALID REQUEST SENT |
32245443 | NULL POINTER EXCEPTION IS THROWN WHILE STARTING ADMINSERVER IF IAM SUITE APP DOMAIN IS MISSING. |
30352121 | NEED POSSIBILITY TO FILTER USER GROUPS SENT IN SAML RESPONSE IN FEDERATED ENV. |
31776266 | TOKEN HAS ACCESS TO CUSTOM ATTRIBUTES FOR ALL SCOPES |
32167212 | RESET OAM KEYSTORE PASSWORD IN 12C |
31558236 | SECURE FLAG IS NOT SET FOR SSL TERMINATED LOAD BALANCER |
32051924 | AFTER BP08 OLD CLIENTS STILL HAVE PLAIN TEXT SECRET |
31900502 | OAM12C - FORGOT PASSWORD WITH ONE-TIME PASSWORD DOESN'T WORK WITH SERVERREQUESTCACHETYPE FORM |
31861713 | OAM 12.2.1.4 IS NOT SENDING CLIENT CERTIFICATE DURING OUTBOUND ARTIFACT SAML REQ |
31750371 | SYSYEM ERROR AFTER REACHING INVALID OTP MAXATTEMPTS IN STANDALONE ENV |
29971944 | CONSENT PAGE FUNCTION FROM OIF 11GR1 NOT FOUND IN OAM 12C FEDERATION |
32136382 | NULLPOINTEREXCEPTION AFTER ADDING "-DORACLE.OAM.ENABLEEXTRASAMLATTR=TRUE" |
31830597 | OAUTH : ACCESS AND REFRESH TOKEN EXPIRY TIME NOT SET CORRECTLY |
31822228 | MFA FAILS WHEN ANONYMOUS SESSION EXISTS |
30922965 | UNABLE TO CREATE AND PERSIST USER..CAUSED BY: INVALID UUID STRING: ANONYMOUS-S |
1.21.17 Resolved Issues in OAM Bundle Patch 12.2.1.4.201201
Table 1-17 Resolved Issues in OAM Bundle Patch 12.2.1.4.201201
Base Bug Number | Description of the Problem |
---|---|
31266182 | ACCESS TOKEN REQUEST WITH JWT BEARER GRANT FAILS WITH DB UNIQUE
CONSTRAINT VIOLATION
Note: For OAuth flows with MDC enabled, the parameterSessionMustBeAnchoredToDataCenterServicingUser must be set to
false in the OAM Configuration.
|
30674083 | OAUTH 3-LEGGED AUTHZ CODE CAN BE USED MORE THAN 1 TIME |
28946202 | OAM AUDITING NOT CAPTURING IAU_INITIATOR FOR FAILED AUTHENTICATION ATTEMPTS |
31766587 | OAM 12C-OPEN ID CONNECT-NONCE CLAIM MISSING IN TOKEN |
31832371 | REQUESTING OPTION TO LEAVE OAUTH_TOKEN RESPONSE UNSET WITH ER 29541818 |
31778001 | Fix for Bug 31778001 |
30503494 | AFTER AUTHENTICATION FAILURE USER DOES NOT REDIRECT TO FAILURE URL |
31469921 | MULTI VALUE ATTRIBUTES ARE NOT RETURNING VALUE FROM FEDERATION AT 12C |
31734489 | ERROR MESSAGE WHEN USER HAS EXCEEDED THE MAXIMUM NUMBER OF ALLOWED SESSIONS |
31098504 | FEATURE TO CONFIGURE THE ANONYMOUS USER ACCOUNT NAME
You can configure the username in the anonymous user session by modifying the
anonymousUserName in the oam-config.xml file
under AnonymousModules . For
example:
For more information about editing the
Note: Changes are reflected only on Managed Server restarts. |
31641787 | OUD ATTRIBUTE RESETPWD:TRUE CAUSES AUTHN FAILURE FOR USERAUTHENTICATIONPLUGIN
Note: You can allow authentication for Oracle Unified Directory password policy attributeRESETPWD=true by adding the following attribute to the
oam-config.xml file under the configured user identity
store:
|
31650595 | UNABLE TO START INTERNAL STAGE PRIMARY |
31428183 | WEBGATE PROFILE GET CORRUPTED IF ADD PRIMARY/SECONDARY SERVER WITH N+2 INDEX USING WEBGATE TEMPLATE. |
31039212 | GLOBAL LOGOUT NOT CLEARING SESSION |
31857424 | Fix for Bug 31857424 |
31744937 | REST API:OTP:CREATEOTP & VALIDATEOTP FLOWS NEEDS TO BE FIXED |
29154366 | OAM-OSB INTEGRATION USING OAUTH2 NOT WORKING |
31638527 | NULL POINTER EXCEPTION WITH PASSWORD MANAGEMENT DISABLED |
28562000 | PREAUTHENTICATION RULE TO DENY ACCESS DISPLAYS OPERATION ERROR |
31728627 | CONCURRENCY ISSUES IN SecurityConfig/TrustedInputs INITIALIZATION. |
31595758 | SOME SAML ATTRIBUTES GET MAPPED TO WRONG AVALUES AFTER SAML RESPONSE WITH OAM 12C |
31741829 | STUCK THREADS IN ORACLE.SECURITY.FED.SECURITY.UTIL.CERTRETRIEVALUTILS.GETSIGNINGCERT IN SAML LOGIN FLOWS |
31763785 | 12CP4 - SESSION_ID IS NOT PRESENT AS PART OF THE CLAIMS IN THE ACCESS TOKEN GENERATED USING SSO LINK FLOW |
31526660 | THE HEADER IS NOT FOUND FOR SAML MULTI-VALUED RESPONSE VARIABLE |
31662739 | SESSION LINK TOKEN CANNOT BE USED AS FED ATTRIBUTE |
31494411 | MULTIPLE INVALID OTP ATTEMPTS DOES NOT LOCK USER OR STOP WRONG OTP
ATTEMPTS
For more information, see |
30991309 | DCC TUNNELING UNSOLICITED POST BROKEN IN 12C PS4 |
24485240 | ADDATTRIBUTESTOFEDATTRIBUTES FAILED IF FED SESSION EXISTS |
1.21.18 Resolved Issues in OAM Bundle Patch 12.2.1.4.200909
Table 1-18 Resolved Issues in OAM Bundle Patch 12.2.1.4.200909
Base Bug Number | Description of the Problem |
---|---|
31666896 | OAM AUTHENTICATION REST API |
31516886 | USERS CAN'T VIEW APPLICATION DOMAINS IF OAMCONSOLE IS PROTECTED BY WEBGATE |
31753451 | ERROR WHEN RUNNING WLST COMMAND SETSPPARTNERATTRIBUTEVALUEFILTER |
28296759 | FORCE PASSWORD RESET NOT WORKING WITH BASIC METHOD AND FORM CACHETYPE |
25853168 | AFTER UPGRADE TO R12 ONE/FEW CURL COMMAND FOR FEDERATION IS NOT WORKING |
29058490 | OAM OIM INTEGRATION - LOGIN LOOP AFTER THE USER IS UNLOCKED |
27566767 | ENH 27566767 - BACKWARD COMPATIBILITY : WITH OAM AS IDP PROVIDE ATTRIBUTE MAPPINGS AND FILTERS IN OAM 12C LIKE OIF 11G |
31111719 | 12CPS4:BP02:ERROR POP UPS ON OAMCONSOLE UI |
31427426 | SHOWING INVALID PARAMETERS WHILE UPDATING PRIMARY/SECONDARY SERVER PARAMETERS. |
30589288 | OIDC SOCIAL LOGIN FAILS DUE TO BLOCKURLS SECURITY CONFIGURATION |
30804658 | WIN2012R2: NEED TO HANDLE SQL VIOLATION AT ADMIN SERVER BOOTSTRAP |
31196076 | IPFPSWD.JSP IS THROWING SYSTEM ERROR |
26565827 | AWS ROLE MAPPING ATTRIBUTE SUPPORT |
31186283 | ESCAPE CHARACTERS ADDED WHEN CREATING OAUTH TOKEN |
31555915 | SPECIAL CHARS ON PASSWORD DOES NOT AUTHENTICATE AFTER UPGRADE TO 12.2.1.4 |
28040138 | ORACLE ACCESS MANAGER OPERATION ERROR WHEN AUTHZ POLICY SUCCESSURL IS CONFIGURED |
31501282 | OAM SYSTEM ERROR ON FORCE PASSWORD CHANGE AFTER APPLYING 12.2.1.3.191201 (BP07) |
23096690 | PUMA - PERFORMANCE ISSUES SEEN IN APS SYNC-ADD/UPDATE WEBGATE |
31038100 | ADVANCED RULE PARSING RETURNS UNEXPECTED RESULT FOR ATTRIBUTE
EVALUATION
Note: You must add the user attribute, used in the advance rule, as a system property where the attribute value is optional.
For
example:
EXTRA_JAVA_PROPERTIES="-Doam.rule.userAttr=description::NULL_VALUE ${EXTRA_JAVA_PROPERTIES}" export EXTRA_JAVA_PROPERTIES |
31289851 | OAUTH/OIDC APPROVAL WORKS WHEN NO SESSION FOUND |
31337500 | OAM MT STUCK THREADS AND HIGH CPU - UIDMX0113 |
30235925 | OAM SESSION SUPPORTS ONLY 40 STRING TYPE PROPERTIES |
31068961 | ORA-01461: CAN BIND A LONG VALUE ONLY FOR INSERT INTO A LONG COLUMN |
28855754 | 12.2.1.3 OUD PASSWORD POLICY ATTRIBUTE RESETPWD SET TO TRUE CAUSES AUTHN FAILURE |
29120924 | AMRUNTIMEEXCEPTION:INVALID SETTINGS FOR FORWARD WHEN INTEGRATING DUO PLUGIN |
27963081 | LDAP RESPONSE READ TIMED OUT - ON IDSTORE CREATION, IF "SEARCH BASE" IS "HUGE" |
1.21.19 Resolved Issues in OAM Bundle Patch 12.2.1.4.200629
Table 1-19 Resolved Issues in OAM Bundle Patch 12.2.1.4.200629
Base Bug Number | Description of the Problem |
---|---|
31065568 | INTERIM FIX : NEED TO MAKE SURE ALL COOKIES ISSUE BY OAM11G & 12C CONTAIN SAMESITE=NONE |
31465732 | OAMS.OAM_RESOURCE_URL WARNING MESSAGES STILL DISPLAY IN OAM LOGS WITH FIX 30053037 |
30053037 | OAMS.OAM_RESOURCE_URL WARNING MESSAGES IN OAM LOGS |
31510690 | PASSWORDRESETREQUESTS REST END POINT THROWS INTERNAL SERVER ERROR. |
31508059 | INVALID SESSION CONTROL PARAMETERS |
30622957 | X509 RFC (SECURITY): OAM AUTHN WITH EXTENDEDKEYUSAGE |
31366419 | UPDATE VALIDATE ENDPOINT TO WORK WITH POST |
31413189 | MODIFY MDC SESSION CONTROL API FAILES WITH MDC NOT ENABLED ERROR |
31419785 | THE OAMCUSTOMPAGES.WAR IS NOT DEPLOYABLE. |
30953737 | WLS ADMIN SERVER LOG FILE AFTER APPLYING AN OAM BUNDLE PATCH THE
FOLLOWING WARNING IS NOW SEEN - SOFTLOCK IS ENABLED BUT IS NOT RECOMMENDED SETTING IN
PRODUCTION ENVIRONMENT
Note: To understand how to run the script for disabling/enabling softlock, refer to readme.txt in the following directory:$MW_HOME/idm/oam/server/wlst/scripts/utilities/ |
31110638 | OAM 12.2.1.4 APR20 BP - IMPORTPOLICY WLST FUNCTION TAKING VERY LONG TIME TO IMPORT POLICIES |
29883498 | OAM/MDC ISSUE: INVALID SIMPLE MODE ARTIFACTS |
30669352 | AUTHORIZATION RESPONSE NOT RETURNED FOR AUTHORIZATION FAILURE |
30748479 | CLIENT IP NOT CAPTURED IN AUDIT.LOG FOR REST CALLS |
30406633 | GETTING NOT_FOUND WHILE FETCHING ATTRIBUTE FOR SAML RESPONSE HEADER |
30762860 | Fix for Bug 30762860 |
31000954 | 12CPS4 : FEDERATION USES LOCAL IN MEMORY STORE |
30120631 | SMS OTP PAGE REFRESH |
30911495 | TWO FACTOR AUTHENTICATION ENTRY TEXTBOX DOES NOT GAIN FOCUS IF THERE IS ONLY ONE OPTION FOR 2ND FACTOR AUTHENTICATION |
30628496 | UNABLE TO MODIFY PRIMARY/SECONDARY SERVER DATA USING CREATEWEBGATETEMPLATE SYNTAX |
30831364 | HTTP 405 ON WNA CRED COLLECT ENDPOINT EVEN THOUGH ENDPOINT NOT IN BLOCKURLS LIST |
30771422 | ADVANCED RULE PARSING FAILS FOR MAP PARAMETERS (USER.USERMAP,
REQUEST.REQUESTMAP
Note: See also the noteOracle Access Manager (OAM) "Invalid rule condition" Error On
Advanced Rules (Doc ID 2664614.1) at https://support.oracle.com.
|
30882267 | OAM CUSTOM PAGES LOGIN.JSP IS NOT WORKING IN OAM 12.2.1.4 |
28108712 | MODIFY MDC SESSION CONTROL REST API FAILS |
29715441 | OAM: USERINFO REST CALL DOES NOT RETURN CORRECT VALUE OF TELEPHONENUMBER FOR LDAP PROVIDER OUD |
30832165 | FEDERATION: FEDSTS-10202: COULD NOT RETRIEVE MDC DATA FROM CLUSTER |
30793308 | OAM IDP: SYSTEM ERRORS SEEN INTERMITTENTLY DURING FEDERATION LOGOUT |
30355996 | OAM SESSION API RETURN HTTP 500 ERROR WITH CEST TIMEZONE |
1.21.20 Resolved Issues in OAM Bundle Patch 12.2.1.4.200327
Table 1-20 Resolved Issues in OAM Bundle Patch 12.2.1.4.200327
Base Bug Number | Description of the Problem |
---|---|
30805180 | OAM Snapshot Tool |
30805164 | OAUTH CONSENT LIFECYCLE MANAGMENT AND MDC SUPPORT |
30805154 | OAUTH JUST IN TIME /JIT PROVISIONING |
30820170 | AUTHORIZATION ERROR WITH USER MEMBER LARGE NUMBER OF GROUP |
30792754 | MDC ENV. CUSTOM ATTRIBUTES ARE NOT INCLUDED IN ACCESS TOKEN |
21391069 | NEED TO LOG AUTHENTICATION FAILURE AUDIT LOG FROM CUSTOM PLUGIN |
29717855 | SAML LOGOUT NOT WORKING IF OLD FED SESSIONS EXIST IN DB |
29240849 | NEED TO LOG ADDITIONAL AUTHENTICATION FAILURE FOR AUDIT LOG FROM CUSTOM PLUGIN |
30634571 | 12C OAUTH AUDIT RECORDS RETURN NULL VALUES FOR OAUTHTOKENVALIDATE EVENTS |
30571576 | K8S : OAM_ADMIN AND OAM_SERVER APPLICATION DEPLOYMENT FAILED K8S CLUSTER |
29783271 | UPDATE OF OUD DETAILS DELETES CONFIG ATTRIBUTE ENTRY ADDED FROM OAM-CONFIG.XML |
29885236 | ENABLED MULTIVALUEGROUPS SP USE $USER.GROUPS TWICE IN A FED SP ATTRIBUTE PROFILE |
30134427 | Fix for Bug 30134427 |
30169956 | OAUTH PASSWORD GRANT TYPE CAN ONLY USE NON-PLUGIN LDAP MODULE FOR AUTHENTICATION |
30213267 | DCC WEBGATE TUNNELING FOR ADF CUSTOM LOGIN PAGE NOT WORKING
This fix enables tunneling for custom pages using chunked
transfer-encoding. It also provides a way to specify the read-timeout on connections
used to fetch custom pages from the managed server using the Webgate's user-defined
parameter Specify the
tunnelingDCCReadTimeout in seconds, for example,
tunnelingDCCReadTimeout=30 .
Note: When specifyingtunnelingDCCReadTimeout , you must also increase
aaaTimeoutThreshold accordingly.
|
30460435 | DCC TUNNELING WHITELIST CAN NOT BE DISABLED USING ENABLEWHITELISTVALIDATIONDCCTUNNELING CONFIG |
30426370 | OAM 12.2.1.4:DOWNLOADACCESSARTIFACTS: SEVERE:REQUEST TO PROCESS ARTIFACTS FAILED |
30468914 | OAM DOES NOT SUPPORT HOLDER OF KEY PROFILE. |
30069618 | OAMAGENT-02077: AUTHN TOKEN IS EITHER NULL OR INVALID |
1.21.21 Resolved Issues in OAM Bundle Patch 12.2.1.4.191223
Table 1-21 Resolved Issues in OAM Bundle Patch 12.2.1.4.191223
Base Bug Number | Description of the Problem |
---|---|
26679791 | FIX FOR BUG 25898731 IS FAILING IN OAM 11.1.2.3.171017BP 26540179 |
30389257 | TWO FACTOR AUTHENTICATION ENTRY TEXTBOX DOES NOT GAIN FOCUS |
30311080 | OIGOAMINTEGRATION.SH -CONFIGURESSOINTEGRATION THROWS UNMARSHAL EXCEPTION IN FRESH 12CPS4 ENV |
30156706 | OAM ADMIN SERVER START FAILS DUE TO FAIL TO CREATE OAM-CONFIG.XML FROM DBSTORE |
29771448 | % CHAR IN PASSWORD USED TO GENERATE OAUTH ACCESS TOKEN IS TRANSLATED TO ASCII |
30144617 | ISSUE ON CHANGE IN BEHAVIOR IN RETURNING ERRORCODE AFTER APPLYING PATCH 29918603 |
29482858 | OAM 11G ASDK INTERMITTENTLY THROWING ERROR WHILE CREATING OBSSOCOOKIE |
29541818 | ER TO ADDRESSING ADDITIONAL USE CASES OF OAUTH AND JSON IN OAM 12C |
29837657 | OAM DOES SUBTREE SEARCH TO VALIDATE IDSTORE CREATION |
29290091 | WRONG SELECT IN ADMIN STARTUP LOGS |
30156607 | DIAG: ADD MORE LOGS IN AMKEYSTORE VALIDATION FLOW TO IDENTIFY CONFIG THAT CAUSES TO FAIL TO START ADMIN SERVER |
30243111 | DIAG: REQUIRE LOGS IN DEFAULT KEYSTORE BOOTSTRAPPING FLOW TO IDENTIFY CONFIG MISSING/CORRUPTION ISSUE |
30180492 | OCI FEDERATION WITH ORACLE ACCESS MANAGER IS NOT WORKING AS EXPECTED |
30363797 | OAM11GR2PS3 : WNA_DCC MODULE IS FAILING WITH SECURITY BUG FIX :25963019 |
29649734 | 12.2.1.3.180904 (BP04) ACCESS SERVER RETURNS JSON KEY AND NOT P7B LIKE DOCUMENT |
30062772 | FEDERATION BP18 CAUSES LOGOUT END_URL TO BE CONVERTED TO LOWER CASE IN FED LOGOU |
30176378 | ERRORS IN OAM SERVER LOGS AFTER RUNNING WLST COMMAND DISABLESKIPAUTHNRULEEVAL() |
30267123 | UNABLE TO LOGIN FROM MULTIPLE TABS AFTER LOGGING IN FROM A TAB. |
1.22 Known Issues and Workarounds
- My Oracle Support Document 2602696.1 at https://support.oracle.com
- Bug 34636811, workaround can be found at My Oracle Support Document 2901185.1 at https://support.oracle.com
Oracle Fusion Middleware Oracle Access Management Bundle Patch Readme, OAM Bundle Patch 12.2.1.4.241227 Generic for all Server Platforms
G23514-01