5 Troubleshooting Common Problems in Access Manager and OIG Integration
These sections describe common problems you might encounter in an Oracle Identity Governance and Access Manager integrated environment and explain how to solve them.
-
Troubleshooting Single Sign-On Issues in an Access Manager and OIG Integrated Environment
-
Troubleshooting Auto-Login Issues in an Access Manager and OIG Integrated Environment
-
Troubleshooting Miscellaneous Issues in an Access Manager and OIG Integrated Environment
In addition to this section, review the Error Messages for information about the error messages you may encounter.
For information about additional troubleshooting resources, see Using My Oracle Support for Additional Troubleshooting Information.
5.1 Troubleshooting Single Sign-On Issues in an Access Manager and OIG Integrated Environment
This section describes common problems and solutions relating to single sign-on in the integrated environment. Using single sign-on, a user can access Oracle Identity Governance resources after being successfully authenticated by Access Manager. When accessing any Oracle Identity Governance resource protected by Access Manager, the user is challenged for their credentials by Access Manager using the Oracle Access Management Console login page.
This section discusses the following single sign-on issues:
5.1.1 Diagnosing Single Sign-On Issues By Capturing HTTP Headers
Checking the HTTP headers may provide diagnostic information about login issues.You can collect information from the HTTP headers for troubleshooting issues. This can be done by enabling HTTP tracing in the web browser, logging into Access Manager as a new user, and examining the headers for useful information.
5.1.2 Access Manager Redirection to OIG Login Page
After accessing an Oracle Identity Governance resource using OHS (for example, http://
OHS_HOST:OHS_PORT
/identity)
, the user is redirected to the Oracle Identity Governance login page instead of the Oracle Access Management Console login page.
Cause
The Access Manager WebGate is not deployed or configured properly.
Solution
Confirm the httpd.conf
file contains the following entry at the end:
"include "webgate.conf"
where webgate.conf
contains the 12c WebGate
configuration.
If this entry is not found, review the WebGate configuration steps to verify none were missed. For more information, see Configuring Oracle HTTP Server WebGate for Oracle Access Manager in Installing WebGates for Oracle Access Manager and Configuring Access Manager Settings in the Administering Oracle Access Management.
5.1.3 Access Manager Failure to Authenticate User
User login fails with the following error:
An incorrect Username or Password was specified.
Cause
Access Manager is responsible for user authentication but authentication has failed. The identity store configuration may be wrong.
Solution
Check that the identity store is configured correctly in the Oracle Access Management Console.
To resolve this problem:
- Login to Oracle Access Management Console.
- Navigate to Configuration >User Identity Stores > OAMIDStore.
- Verify the Default Store and System Store configuration.
- Click Test Connection to verify the connection.
5.1.4 Troubleshooting Oracle Access Management Console Login Operation Errors
User is not directed to the Oracle Access Management Console to login and the following error message appears:
Oracle Access Manager Operation Error.
Cause 1
The OAM Server is not running.
Solution 1
Start the OAM Server.
Cause 2
The WebGate is not correctly deployed on OHS and is not configured correctly for the 12c Agent located on the OAM Server.
An error message displays, for example:
The AccessGate is unable to contact any Access
Servers.
The issue may be with the SSO Agent.
See Understanding Credential Collection and Login in Administering Oracle Access Management.Solution 2
To resolve this problem:
5.1.5 Troubleshooting Authenticated User Redirection to OIG Login
User authenticated using the Oracle Access Management Console but is redirected to the Oracle Identity Governance login page to enter credentials.
Cause 1
The security providers for the OIG domain are not configured correctly in Oracle WebLogic Server.
Solution 1
Verify the WebLogic security providers are configured correctly for the OIG domain security realm. Check the LDAP Authenticator setting. For more information, see Validating the Oracle Identity Governance Security Provider Configuration.
Cause 2
OAMIDAsserter
is not configured correctly in Oracle WebLogic Server.
Solution 2
To resolve this problem:
5.1.6 User Redirected to OIG During OIG Forgot Password, Register New Account, or Track User Registration Flows
Access Manager relies upon Oracle Identity Governance for password management. If the user logs in for the first time or if the user password is expired, Access Manager redirects the user to the Oracle Identity Governance First Login page.
From the Access Manager login screen, user should be able to navigate to the Oracle Identity Governance Forgot Password, the Self-Registration or Track Registration flows.
Cause
If there is any deviation or error thrown when performing these flows, the
configuration in oam-config.xml
(OAM_DOMAIN_HOME
/config/fmwconfig
)
is incorrect. See Exporting and Importing the OAM Configuration File for the steps to export and import the
oam-config.xml
file.
Solution
Verify the contents of oam-config.xml
resembles the following example. Specifically, that HOST
and PORT
corresponds to the OHS (or any supported web server) configured to front-end Oracle Identity Governance resources.
Setting Name="IdentityManagement" Type="htf:map"> <Setting Name="IdentityServiceConfiguration" Type="htf:map"> <Setting Name="IdentityServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.OracleIdentityServiceProvider</Setting> <Setting Name="AnonymousAuthLevel" Type="xsd:integer">0</Setting> <Setting Name="IdentityServiceEnabled" Type="xsd:boolean">true</Setting> <Setting Name="IdentityServiceProviderConfiguration" Type="htf:map"> <Setting Name="AccountLockedURL" Type="xsd:string">/identity/faces/accountlocked</Setting> <Setting Name="ChallengeSetupNotDoneURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="DateFormatPattern" Type="xsd:string">yyyy-MM-dd'T'HH:mm:ss'Z'</Setting> <Setting Name="ForcedPasswordChangeURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="IdentityManagementServer" Type="xsd:string">OIM-SERVER-1</Setting> <Setting Name="PasswordExpiredURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="LockoutAttempts" Type="xsd:integer">5</Setting> <Setting Name="LockoutDurationSeconds" Type="xsd:long">31536000</Setting> </Setting> </Setting> <Setting Name="RegistrationServiceConfiguration" Type="htf:map"> <Setting Name="RegistrationServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.DefaultRegistrationServiceProvider</Setting> <Setting Name="RegistrationServiceEnabled" Type="xsd:boolean">true</Setting> <Setting Name="RegistrationServiceProviderConfiguration" Type="htf:map"> <Setting Name="ForgotPasswordURL" Type="xsd:string">/identity/faces/forgotpassword</Setting> <Setting Name="NewUserRegistrationURL" Type="xsd:string">/identity/faces/register</Setting> <Setting Name="RegistrationManagementServer" Type="xsd:string">OIM-SERVER-1</Setting> <Setting Name="TrackUserRegistrationURL" Type="xsd:string">/identity/faces/trackregistration</Setting> </Setting> </Setting> <Setting Name="ServerConfiguration" Type="htf:map"> <Setting Name="OIM-SERVER-1" Type="htf:map"> <Setting Name="Host" Type="xsd:string">myhost1.example.com</Setting> <Setting Name="Port" Type="xsd:integer">7777</Setting> <Setting Name="SecureMode" Type="xsd:boolean">false</Setting> </Setting> </Setting> </Setting>
5.1.7 User Redirection in a Loop
A new user attempts to access Oracle Identity Management Self-Service and after successful authentication, the user is redirected in a loop. The service page does not load and the browser continues spinning or refreshing.
Cause
OHS configuration setting for WLCookieName
for front-ending identity
is incorrect.
Solution
Check the OHS configuration for front-ending identity
and verify that WLCookieName
directive is set to oimjsessionid
. If not, set this directive as oimjsessionid
for each Oracle Identity Management resource Location
entry. For example:
<Location /identity> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost myhost1.example.com WebLogicPort 8003 WLLogFile "$ Unknown macro: {ORACLE_INSTANCE} /diagnostics/logs/mod_wl/oim_component.log" </Location>
5.1.8 Troubleshooting SSO Integration Configuration
Cause
During Configuring SSO Integration execution, the script could fail due to OAM-related issues:
Solution
-
Verify if OAM server is up.
-
Ensure that the credentials used for this step are correct.
-
Check from the console log if it is Error 401--Unauthorized.
-
Restart OAM admin and managed servers.
-
Ensure that the sso-config.properties file reflects the following:
generateIndividualConfigFiles=false prepareIDStore=false configOAM=false addMissingObjectClasses=false populateOHSRules=false configureWLSAuthnProviders=false configureLDAPConnector=false configureSSOIntegration=true enableOAMSessionDeletion=false updateContainerRules=false
-
Run the following REST API and ensure it responds with the OAM policy application domains.
http(s)://<oam-admin-server-host>:<oam-admin-server-port> /oam/services/rest/11.1.2.0.0/ssa/policyadmin/appdomain
Note:
The REST API must be run by the user having System Administrator privileges.To assign system administrator role to a user, perform the following steps:- Log in to the OAM console.
- Click Configuration > Administration > Grant.
- Search for the user to whom you are required to provide system administrator privileges. For example, weblogic_idm
- Ensure the Role is set to System Administrator.
- Click Add Selected.
- Go to the
configureSSOIntegration.config
file and specify the user with system administrator privileges against theIDSTORE_OAMADMINUSER
property. For example,IDSTORE_OAMADMINUSER =weblogic_idm
If the REST endpoint does not repond, or returnsRequest Failed
error, perform the following steps:- Login to the OAM AdminServer WLS Console.
- Navigate to Application Deployments.
- Select oam-admin, click Update and then click Active.
- Stop all OAM domain servers.
- Delete the
tmp
and cache directories under admin, oam and policy manager server. - Start all the oam domain servers and run the REST command again.
Note:
Do not progress to the next step unless the specified REST API responds with the OAM policy application domains. Otherwise, the following script may returnUnmarshalException
. -
Run
OIGOAMIntegration.sh -configureSSOIntegration
.
5.1.9 WADL Generation Does not Show Description
Issue
java.lang.IllegalStateException: ServiceLocatorImpl
is returned. Exception thrown when provider
class org.glassfish.jersey.server.internal.monitoring.MonitoringFeature$StatisticsListener
was processing MonitoringStatistics. Removing provider from further processing.
java.lang.IllegalStateException: ServiceLocatorImpl(__HK2_Generated_6,9,221656053) has been shut down
at org.jvnet.hk2.internal.ServiceLocatorImpl.checkState(ServiceLocatorImpl.java:2393)
http://<Host>:<AdminServerPort>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/application.wadl
http://<Host>:<ManagedServerPort>/iam/access/api/v1/health/application.wadl
Resolution
Restart the Admin server and managed servers to resolve the wadl issue.
5.2 Troubleshooting Auto-Login Issues in an Access Manager and OIG Integrated Environment
The auto-login feature enables user login to Oracle Identity Governance after the successful completion of the Forgot Password or Forced Change Password flows, without prompting the user to authenticate using the new password.
Communication between Oracle Identity Governance and Access Manager can be configured to use Oracle Access Protocol (OAP) or TAP channels. Debugging auto-login issues is simplified if you determine which channel is being used. Determine the channel by examining the Oracle Identity Governance SSOIntegrationMXBean
(version attribute) using the System MBean Browser in Oracle Enterprise Manager Fusion Middleware Control. For more information, see "Using the System MBean Browser" in Administering Oracle Fusion Middleware.
Depending upon the Access Manager version being used, the following applies:
-
If the version is 11g, the TAP channel is used during auto-login. See Troubleshooting Oracle Access Protocol (OAP) Issues.
After a password is reset in Oracle Identity Governance and in LDAP through LDAP synchronization, Oracle Identity Governance redirects the user to the Access Manager TAP endpoint URL (
SSOIntegrationMXBean: TAPEndpointUrl
). Access Manager will auto-login the user by redirecting to the requested resource.
Note:
In the 12c Oracle Identity Governance and Access Manager integrated environment, the TAP protocol is configured for auto-login by default.
5.2.1 Troubleshooting TAP Protocol Issues
Check the OIG Server and Access Manager Server logs for any of the following error messages:
-
404 Not Found Error. For possible solution, see 404 Not Found Error
-
System error. Please re-try your action. For possible solution, see System Error
5.2.1.1 404 Not Found Error
After resetting the password, user is redirected to a 404 Not Found error page.
Cause
The Access Manager TAP endpoint URL (SSOIntegrationMXBean: TAPEndpointUrl)
is configured incorrectly.
Solution
Verify that TAPEndpointUrl
is correctly configured in Oracle Identity Governance SSOIntegrationMXBean
and is accessible. For example:
http://OAM_HOST:OAM_PORT/oam/server/dap/cred_submit
Or
http://OHS_HOST:OHS_PORT/oam/server/dap/cred_submit
where Access Manager is front-ended by OHS.
5.2.1.2 System Error
After resetting the password, user is redirected to Access Manager TapEndpointUrl
(configured in Oracle Identity Governance SSOIntegrationMXBean
), and the following error displays in the UI:
System error. Please re-try your action. If you continue to get this error, please contact the Administrator.
Cause 1
A message similar to the following displays in the Access Manager Server logs:
Sep 19, 2012 4:29:45 PM EST> <Warning> <oracle.oam.engine.authn> <BEA-000000> <DAP Token not received> <Sep 19, 2012 4:29:45 PM EST> <Error> <oracle.oam.binding> <OAM-00002> <Error occurred while handling the request. java.lang.NullPointerException at oracle.security.am.engines.enginecontroller.token.DAPTokenEncIssuerImpl.issue(DAPTokenEncIssuerImpl.java:87)
Solution 1
This error could be due to mis-configuration in TAPResponseOnlyScheme
in Access Manager. Verify oam-config.xml
(located at OAM_DOMAIN_HOME
/config/fmwconfig
) contains the following entry:
Note:
See Exporting and Importing the OAM Configuration File for the steps to export and import theoam-config.xml
file.
<Setting Name="DAPModules" Type="htf:map"> <Setting Name="7DASE52D" Type="htf:map"> <Setting Name="MAPPERCLASS" Type="xsd:string">oracle.security.am.engine.authn.internal.executor.DAPAttributeMapper</Setting> <Setting Name="MatchLDAPAttribute" Type="xsd:string">uid</Setting> <Setting Name="name" Type="xsd:string">DAP</Setting> </Setting> </Setting>
The value of MatchLDAPAttribute
should be uid
. If not, change the value.
To resolve the problem:
-
Login to Oracle Access Management Console.
-
Navigate to
TapResponseOnlyScheme
. Add the following asChallenge
parameter:MatchLDAPAttribute=uid
-
Save the changes.
Cause 2
The following error displays in the Access Manager Server logs:
javax.crypto.BadPaddingException: Given final block not properly padded
This may occur if OIM_TAP_PARTNER_KEY
is not include in the OIG credential map in the credential store, or if an invalid key is present.
Solution 2
Reregister Oracle Identity Governance as a TAP partner with Access Manager by rerunning the OIGOAMIntegration.sh -configureSSOIntegration
option. and restart the complete OIG domain.
Cause 3
After resetting the password, if auto-login is not successful, the OIG server logs contain the following error:
Error occured while retrieving TAP partner key from Credential store
Solution 3
To resolve the problem:
- Using Fusion Middleware Control, verify the
OIM_TAP_PARTNER_KEY
generic credential is present in the OIG credential map in the credential store. - If
OIM_TAP_PARTNER_KEY
is present, verify that LDAP connector is configured correctly, and that the password is reset in LDAP provider. Check this by issuing anldapbind
command with the user and the new/reset password.
Cause 4
After resetting the password, if auto-login is not successful, the OAM server logs have the following error:
Error occured while retrieving DAP token from OAM due to invalid TAP partner key
The OIM_TAP_PARTNER_KEY
present in the OIG credential map of credential store is not valid.
Solution 4
Reregister Oracle Identity Management as a TAP partner with Access Manager by rerunning OIGOAMIntegration.sh -configureSSOIntegration
option. You must restart the complete OIG domain.
Cause 5
After resetting the password, if auto-login is not successful, the OIG server logs may show the following error:
Error occurred when decrypting the DAP token
Solution 5
-
Update the
OIMPartner
attribute withOIMPartnerOld
attribute by using OAM REST API. See Modifying OAM Configuration Parameters Using OAM REST API. - Delete
OIM_TAP_PARTNER_KEY
from the OIG domain using the Oracle Enterprise Manager Fusion Middleware Control. - Reregister Oracle Identity Governance as a TAP partner with
Access Manager by rerunning the
OIGOAMIntegration.sh -configureSSOIntegration
option. - Verify that
OIM_TAP_PARTNER_KEY
is available in the domain credential store. See Validating the Oracle Identity Governance Domain Credential Store. - Restart OIG and OAM domain.
5.2.2 Troubleshooting Oracle Access Protocol (OAP) Issues
Check the OIG Server logs for any of the following types of error messages.
The resource URL is not protected.
Corrective action:
Verify that the correct host:port
combination is configured in the Access Manager host identifier configuration.
-
Log in to the Oracle Access Management Console:
http://oam_adminserver_host:oam_adminserver_port/oamconsole
-
In the Oracle Access Management Console, click Application Security at the top of the window.
- Click Host Identifiers in the Access Manager section.
The Search Host Identifiers page is displayed.
-
Click Search to initiate the search.
-
Click IAMSuiteAgent in the Search Results table.
-
Check the host identifiers for
host:port
combination in the identifier. - IAMSuiteAgent Host Identifier should have a combination of OHS (webserver)
host:port
which is front-ending Oracle Identity Management.
aaaClient
is not initialized.
Corrective action:
Verify that the passwords seeded into OIG domain credential store are correct. For
OPEN
mode, check for the WebGate password.
For more information, see Validating the Oracle Identity Governance Domain Credential Store.
Failed to communicate with any of configured OAM Server.
Corrective action:
-
Verify that it is up and running.
-
Verify that the passwords seeded into OIG domain credential store are correct.
-
For OPEN mode, check for the WebGate password.
See Validating the Oracle Identity Governance Domain Credential Store.
SSOKeystore
tampered or password is incorrect.
Corrective action:
-
Check that the keystore file
ssoKeystore.jks
is present inOIM_DOMAIN_HOME
/config/fmwconfig
. -
If present, then check if the keystore password is seeded properly into OIG domain credential store.
See Validating the Oracle Identity Governance Domain Credential Store.
Oracle Identity Management logs do not have any information about the failure.
Corrective action:
-
Enable HTTP headers and capture the headers while running through the First Login, Forgot Password flows. See Diagnosing Single Sign-On Issues By Capturing HTTP Headers.
-
In the HTTP headers, look for
Set-Cookie: ObSSOCookie
after the POST method on the First Login, Forgot Password page. Check the domain of the cookie. It should match with the domain for the protected resource URL. -
If cookie domain is different, update the
CookieDomain
in the Oracle Identity Management SSO configuration using Fusion Middleware Control. See Validating the Oracle Identity Governance SSO Configuration Settings. -
If cookie domain is correct, then check for any time differences on the machines which host the OIG and OAM Servers.
5.3 Troubleshooting Session Termination Issues
The session termination feature enables the termination of all active user sessions after the user status is modified by an Oracle Identity Management administrator. The following Oracle Identity Management operations lead to session termination: user lock, disable or delete.
To troubleshoot session termination issues:
-
Verify the OAM REST URL, http://<OAM_HOST>:<OAM_PORT>/oam/services/rest/access/api/v1/session?userId=<uid>is accessible.
Here, OAM_HOST refers to SSOIntegrationMXBean: AccessServerHost and OAM_PORT refers to SSOIntegrationMXBean: OAMServerPort -
Verify if OAM Admin has authorization to invoke OAM REST API (SSOIntegrationMXBean: OAMAdminUser).
-
Verify in
oam-config.xml
in OAM domain that UserStore in SessionRuntime points to IDStore created during integration. -
Verify
/db/sssointg/EventHandlers.xml
is in Oracle Identity Governance MDS. See Validating the Oracle Identity Governance Event Handlers Configured for SSO.
5.4 Troubleshooting Account Self-Locking Issues
Use Case 1
Both LDAP store and Access Manager lock out the user due to multiple failed login attempts. The user attempts to reset his or her password using the Oracle Identity Governance (OIG) "Forgot Password" page, but the reset operation fails.
Possible explanation: the user's locked status has not yet propagated to Oracle Identity Governance.
-
Check if the user is locked in Oracle Identity Governance:
-
Log in to the Identity Self Service application as an Oracle Identity Governance administrator.
-
Navigate to the Users section, then search for the user.
-
Check if the Identity status is
locked
.
-
-
If the status is not
locked
, run a SSO User Incremental Reconciliation scheduled job, and then confirm that the user status islocked
.
Use Case 2
The user account self-locks due to multiple invalid credentials login attempts. Later, when the user attempts to log in with the correct credentials, he or she is not able to log in. The user expects to log in first and then change the password, but login fails consistently.
Possible explanation: both LDAP directory and Access Manager may have locked the user account. In this case the user cannot log in to Oracle Identity Governance or to any protected page. The user has to use the Forgot Password flow to reset the password.
Note that if only Access Manager locks out the user, the user can log in to Oracle Identity Governance and change the password immediately.
Use Case 3
The LDAP directory pwdMaxFailure
count of three is less than the oblogintrycount
value of five. The LDAP directory locks out the user due to multiple invalid credentials login attempts (in this case, three attempts). Later, when the user tries to log in with the correct credentials, on the fourth attempt the user still cannot log in. The user expects to log in first and then change the password, but login fails consistently.
Possible explanation: LDAP directory locked out the user, but Access Manager did not. The user cannot log in with the correct password even though the oblogintrycount
is less than five, but following the Forgot Password flow works and resets the password.
Note that when LDAP directory locks out the user there is nothing to reconcile into OIG, because OIG does not reconcile user accounts that are locked in LDAP store. When LDAP store locks the user, OIG shows the user as active. Following the Forgot Password flow is the only way to reset the password.
Use Case 4
The LDAP directory pwdMaxFailure
count value of seven is less than the oblogintrycount
value of five. Access Manager locked out the user due to multiple invalid credentials login attempts. Later, when the user tries to login with the correct credentials, the user is able to log in and is redirected to change the password, but the reset password operation fails.
Possible explanation: the user locked status has not yet propagated to OIG.
-
Check if the user is locked in OIG:
-
Login to Identity Self Service application as an OIG administrator.
-
Navigate to Users section, then search for the user.
-
Check if the Identity status is
locked
.
-
-
If the status is not
locked
, run a SSO User Incremental Reconciliation scheduled job, and then confirm that the user status islocked
.
Note that use case one and this use case look similar. In use case one, both LDAP directory and Access Manager locked the user account, whereas in this use case only Access Manager locks the user. The remedy for both use cases is the same, however.
Use Case 5
The user cannot remember his or her password and tries to reset the password using the Forgot Password flow. The user provides his or her user login, provides a new password, and provides incorrect challenge answers. After three failure attempts, both LDAP directory and Access Manager lock the user. The user expects to get locked out after five attempts instead of three attempts because the oblogintrycount
value is 5.
Possible explanation: the password reset attempts in the OIG Reset/Forgot Password flow are governed by the OIG system property XL.MaxPasswordResetAttempts
and the default value is 3. Consequently, the user is locked out immediately after three attempts. OIG locks the user natively in LDAP directory and in Access Manager.
Note that password reset attempts are different from login attempts. Login attempts are governed by Access Manager (oblogintrycount=5
) and password reset attempts by OIG (XL.MaxPasswordResetAttempts=3
).
Use Case 6
LDAP directory locks the user because some constant LDAP binding used incorrect credentials. Access Manager does not lock out the user. When the user tries to log in with the correct credentials, he is not able to log in.
Possible explanation: LDAP directory locks the user out in this use case, not Access Manager. The user cannot log in with the correct password even if the oblogintrycount
is still less than 5, but the user can reset his or her password by following the Forgot Password flow.
Note that when a user is only locked out by LDAP directory, the user's lock-out status is not reconciled into OIG. Consequently, the user shows up as still active in OIG even though the user is locked in LDAP directory.
Use Case 7
When the user resets his password, the password reset is not immediate.
-
The user account self-locks due to multiple invalid credentials login attempts.
-
The user uses the Forgot Password flow to reset the password.
-
The user account is still locked, and he is not able to login to Oracle Identity Governance.
Possible explanation: the user's locked
status has not yet propagated to OIG.
-
Check if the user is locked in OIG:
-
Login to Identity Self service application as an OIG administrator.
-
Navigate to the Users section, and then search for the user.
-
Check if the Identity status is
locked
.
-
-
If the status is not
locked
, run an SSO User Incremental Reconciliation scheduled job, and then confirm that the user status islocked
.
5.5 Troubleshooting Miscellaneous Issues in an Access Manager and OIG Integrated Environment
This provides solutions for the following miscellaneous issues:
5.5.1 Scheduler and System Properties do not come up in the Integrated Environment
When accessing the scheduler page, the following error occurs and configuration properties are not visible.
Failed <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
<title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The
requested URL /iam/governance/selfservice/api/v1/scheduler/history was not
found on this server.</p> </body></html>
Solution
- Add the following entries in the
oim.conf
file at the following locations:Locations:
OAM_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf/oim.conf
OAM_DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/moduleconf/oim.conf
Entries
<Location /iam/governance/adminservice/api/v1> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost %OIM_HOST% WebLogicPort %OIM_PORT% WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log” </Location>
<Location /iam/governance/selfservice/api/v1> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost %OIM_HOST% WebLogicPort %OIM_PORT% WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log” </Location>
- Restart the servers
5.5.2 Client Based Oracle Identity Governance Login Failure
For successful client-based login to Oracle Identity Governance:
-
The client-based login user must be present in the LDAP provider.
-
An LDAP Authenticator must be configured in the OIG domain security realm corresponding to the LDAP provider where the user is present. See Validating the Oracle Identity Governance Security Provider Configuration.
5.5.3 Logout 404 Error Occurs After Logging Out of OIG protected Application
If logging out of an Oracle Identity Governance protected application throws a 404
error, verify that the logout configuration is present in jps-config.xml
. See Validating the Oracle Identity Governance SSO Logout Configuration.
If needed, the JPS configuration can be fixed by editing the jps-configuration
file located in $DOMAIN_HOME
/config/fmwconfig
and then restarting all the servers.
To resolve a misconfiguration in jps-config.xml
:
5.5.4 Old Password Remains Active After Password Reset
In Active Directory environments, old passwords can remain active for up to one hour after a password reset. During this interval, both the old and new password can successfully bind to the Active Directory server. This is the expected behavior.
5.5.5 OIG Configuration Failure During Seeding of OIG Policies into Access Manager
As part of running OIGOAMIntegration.sh -configureSSOIntegration
,
Oracle Identity Governance policies are seeded into Access Manager using the Access Management exposed REST endpoint.
An exception while seeding Oracle Identity Governance policies occurs when the user credentials used for accessing Access Manager exposed endpoint does not have enough privileges to perform the operation.
The solution is as follows:
5.5.6 Adding Object Classes Fails
When you run the OIGOAMIntegration.sh
-addMissingObjectClasses
to add the object class. It fails with the
following
error:
ldap_bind: Invalid credentials (49)
Cause
This error occurs when you provide additional
space for the IDSTORE_BINDDN
property in the
addMissingObjectClasses.config
file.
Example
IDSTORE_BINDDN:cn=Directory Manager
Solution
- Ensure that you provide the double quotation marks
(
"
) at the beginning and end for theIDSTORE_BINDDN
property.Example
IDSTORE_BINDDN:cn="Directory Manager"
- Replace the following lines from the
addMissingObjectClasses
function in the_OIGOAMIntegration.sh
script:COMMAND="ldapsearch -h $IDSTORE_HOST -p $IDSTORE_PORT -D $IDSTORE_BINDDN -w $IDSTORE_BINDDN_PWD -b $IDSTORE_USERSEARCHBASE -s sub $FILTER dn" echo "Executing ldapsearch..." echo $COMMAND $COMMAND | grep "dn:" > ${ALL_USERS}
With the following lines:
LDAP_COMMAND="ldapsearch -h $IDSTORE_HOST -p $IDSTORE_PORT -D "$IDSTORE_BINDDN" -w $IDSTORE_BINDDN_PWD -b $IDSTORE_USERSEARCHBASE -s sub $FILTER dn" COMMAND=$(ldapsearch -h $IDSTORE_HOST -p $IDSTORE_PORT -D "$IDSTORE_BINDDN" -w $IDSTORE_BINDDN_PWD -b $IDSTORE_USERSEARCHBASE -s sub $FILTER dn) echo "Executing ldapsearch..." echo $LDAP_COMMAND echo $COMMAND | grep "dn:" > ${ALL_USERS}
5.5.7 SSO Reconciliation Filter Does Not Work With DN Attributes for Trusted Source Reconciliation
When you use Contains
, startsWith
, and
endsWith
filters with the entryDN
field, SSO full
and incremental reconciliation fails with the following error:
org.identityconnectors.framework.common.exceptions.ConnectorException: Unsupported filter type for attribute entryDN
The LDAP filters on the entryDN
and DN
attributes are not supported as per the LDAP connector specification/implementation.
Only the __parentDN__
attribute with the equalTo
filter is supported as per the current LDAP filter support. Therefore, for fetching
users under the OU as part of trusted reconciliation, the equalTo
filter must be applied on the __parentDN__
attribute.
5.5.8 Login Fails for Users Created Through Bulk Load
In an OAM-OIG integrated environment with AD used as LDAP in connector-based setup, if login does not work for users created through bulk load, then follow the solution described in this topic.
Cause
This happens because in the AD target user attribute
sAMAccountName
has some junk value, such as
$JI7000-BD7NAT1841M6
, instead of the actual user ID.
Solution
When AD is used as LDAP, update the transformation script for the
application SSOTarget
to add the condition for
BULKLOAD
. To do so:
-
Login to Oracle Identity Self Service.
-
Click the Manage tab, and edit the
SSOTarget
application from the Applications page. -
Go to the Settings page, and click the Reconciliation tab.
-
In the Validation & Transformation section, click Transformation Script to open the editor.
-
Add the condition for
BULKLOAD
, as shown:(context.provisionMechanism.equalsIgnoreCase("REQUEST") || context.provisionMechanism.equalsIgnoreCase("ADMIN") || context.provisionMechanism.equalsIgnoreCase("BULKLOAD") ) { if (User_Id == null || User_Id == "") { User_Id = getBeneficiaryAttrFromContext("User Login"); }
-
Save the changes.
After adding this condition for BULKLOAD
, reload all the
bulkload users, and then attempt for login.
5.5.9 Events are Generated Without Any Changes in the Target
When you run the SSO User Incremental Reconciliation scheduled job, events are generated although there are no changes done in the target.
Cause
Events are generated because the obPasswordExpiryDate
field
value coming from the target is not formatted correctly in OIG.
Solution
-
In Oracle Identity Self Service, click the Manage tab, and edit the
SSOTarget
application from the Applicaitons page. -
Go to the Schema page and change the advanced settings of the
obPasswordExpiryDate
schema attribute to enable the Date option. -
Save the changes.
-
Run the SSO User Incremental Reconciliation scheduled job.
5.6 Troubleshooting Target Account Creation
Container rules are not configured in SSOIntegrationMXBean
Corrective action:
-
Execute addContainerRules operation manually against SSOIntegrationMXBean.
-
Or update the appropriate configuration file and run one of the following scripts:
-
$ORACLE_HOME/idm/server/ssointg/bin/OIGOAMIntegration.sh -configureLDAPConnector
-
$ORACLE_HOME/idm/server/ssointg/bin/OIGOAMIntegration.sh -updateContainerRules
-
Application Instance is not created
Corrective action:
-
Create the Application Instance manually. For more information, see Creating Target Application Instance.
-
Or update the appropriate configuration file and run the following script:
$ORACLE_HOME/idm/server/ssointg/bin/OIGOAMIntegration.sh -configureLDAPConnector
LDAP server is not running
Corrective action: Start the LDAP server
Directory is not seeded
Corrective action:
Update the appropriate configuration file and run the following script:$ORACLE_HOME/idm/server/ssointg/bin/OIGOAMIntegration.sh -prepareIDStore
mds-oim connection pool is unable to allocate another connection
Corrective action:
-
From the WebLogic console, navigate to Services>Data Sources>mds-oim>Connection Pool.
-
On the Connection Pool page, increase the values of Initial Capacity, Minimum Capacity, and Maximum Capacity.
-
Click Save.
-
On the Connection Pool page, select Advanced link available at the bottom of the page.
-
On the Advanced page, set the value of Inactive Connection Timeout to a non-zero value, for example 10.
-
Click Save
Resetting password in OUD
When the System Administrator manually locks a user in OIG, the attributes obLockedOn and pwdAccountLockedTime are set for the user in OUD. If the System Administrator resets the user's password, pwdAccoundLockedTime is cleared in the OUD. This is a default behavior in OUD.
When the pwdAccoundLockedTime attribute is cleared, the user status gets updated to unlocked after user reconciliation in OIG. However, obLockedOn is still set in OUD and OAM treats this user as locked.
Corrective action:
It is recommended to lock (or unlock) the user from OIG. This scenario is applicable only to reset password for a manually locked-user. It does not apply to change password for self-locked user where user is locked due to failed password attempts.
5.7 Troubleshooting prepareIDStore for AD
Error
Schema in ADUserSchema.ldif
fails to load.
This error appears when running the following script step.
oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: Ignoring Error: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082: AtrErr: DSID-03151817, #1: 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att90094 (schemaIDGUID):len 26 ]; remaining name 'cn=oblocationdn,cn=schema,cn=configuration,DC=interop55,DC=us,DC=oracle,DC=com'
Solution
-
Edit
ADUserSchema.ldif
and replace%IDSTORE_SEARCHBASE%
withDC=interop55,DC=my,DC=org,DC=com
-
Run the LDAP command to load them into AD
ldapmodify -h 192.0.2.1 -p 389 -D Administrator@interop -w <password> -f ADUserSchema.ldif -c -x
Problem
In AD environment, the object classes such as oblixgroup
are not loaded after -prepareIDStore
step is run.
Solution
-
Navigate to
$ORACLE_HOME/idm/server/ldif/prepareidstore/AD/schema
-
Edit
.ADUserSchema.ldif
and replace%IDSTORE_SEARCHBASE%
with the location in the directory where users and groups are stored. For example, dc=example,dc=com -
Run the LDAP command
ldapmodify -h <activedirectoryhostname> -p <activedirectoryportnumber> -D <AD_administrator> -f ADUserSchema.ldif -w <password> -c -x
where
AD_administrator
is the user with schema extension privileges to the directory.Example:
ldapmodify -h activedirectoryhost.example.com -p 389 -D adminuser -f ADUserSchema.ldif -w password -c -x
5.8 Troubleshooting the OIG-OAM Integrated Environment Upgrade
After upgrading from an 11.1.2.3.0 environment to 14.1.2.1.0, when you perform the First Login flow, or Forgot Password Flow, or Reset Password Flow then auto-login fails and system error message appears. When you initiate above flows, new password and challenge questions are set correctly irrespective of the system error.
To resolve this issue, you must re-login with the newly set password.