Skip Headers
Oracle® Access Manager Identity and Common Administration Guide
10g (10.1.4.2.0)

Part Number B32419-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

F Troubleshooting Oracle Access Manager

This appendix explains typical problems that you could encounter while running or installing Oracle Access Manager. It contains these sections:

F.1 Directory and Database Problems and Solutions

This section describes common problems and solutions for the directory and database. It contains the following topics:

F.1.1 Problem Setting up SSL Between the Identity Server and Active Directory

When configuring SSL between the Identity Server and Active Directory, the Identity Server crashes.

Problem

Active Directory uses the Lightweight Directory Access Protocol (LDAP) for read and write operations. By default, LDAP traffic is sent in the clear over an open channel. You can enable a secure version of LDAP using the Secure Sockets Layer (SSL) Transport Layer Security (TLS). The secure version of LDAP that uses SSL is known as LDAPS.

If you have not configured SSL, or if there is a problem with the configuration, the Identity Server crashes when establishing an SSL connection with an LDAPS-enabled Active Directory Server. The Event Viewer application log produces a report similar to the following:

Faulting application ois_server.exe, version 0.0.0.0, faulting module
NSLDAPSSL32V41.dll, version 16512.0.0.10521, fault address 0x0004d3cd. 

Solution

Install a valid certificate on a domain controller that enables the LDAP service to listen for, and automatically accept, SSL connections for LDAP and global catalog traffic.

For the component to establish an SSL connection to an LDAPS-enabled Active Directory server, the server certificate must contain the fully qualified domain name for the Acrive Directory domain controller, for example, server.domain.com. This informaiton must appear in the Common Name (CN) of the Subject field.

After receiving the client certificate the LDAP server determines if the CA who issued the certificate is trusted. If the CA is trusted, the server uses the subject name in the certificate to determine if the client has access rights to perform the requested operation.

F.1.2 Error Message to Check if the Directory Server is Running or Responding

During normal operations, you can receive an error indicating that the directory server may not be operational.

Problem

The Access Server or Policy Manager may issue one of the following error messages:

  • "Please verify that the Directory Server is running."

  • "Please verify that the Directory Server is responding."

These error messages are generated when the Oracle Access Manager component does not receive a response from the directory server within a user-configurable amount of time.

Solution

The following are possible solutions to the problem:

F.1.3 Access Control and Searchbase Support for eDirectory 8.7.3

You may need to apply patches for access control and searchbase support on Novell eDirectory.

F.1.3.1 Problem

When conducting searches using Novell eDirectory 8.7.3, attribute access controls and searchbase filters do not work as expected. For example, using eDirectory 8.7.3, you can configure filters to return organizational units (ou's) below the top node of the DIT, as follows:

(&(objectclass=*)(!(|(objectclass=oblixconfig)(objectclass=oblixlocation)(objectclass=genSiteOrgPerson)(objectclass=genSiteGroup)))(objectclass=*))

However, these searches return information that you were trying to exclude. For example, users may be returned.

F.1.3.2 Solution

To work around this issue, apply the eDirectory patch 8.7.3.7. See the following URLs for details:

http://www.novell.com

http://support.novell.com/servlet/downloadfile?file=/uns/ftf/edir8737ftf_1.exe

F.1.4 Unable to Save a Directory Server Profile

When saving a directory server profile for use by Identity System and Access System components, you may receive an error similar to the following:"Unable to save the Directory Server Profile. The applications require a Directory Server Profile to access Policy base with search, modify, and delete operations to function properly. This Directory Server Profile cannot load balance between its servers as well."

F.1.4.1 Problem

When you install the Access System (at least the Policy Manager), you are asked to identify a location in the directory for policy information. This branch in the directory may or may not be the same as the branch where the Identity System configuration data is stored. Also during Policy Manager installation, a directory profile is created that provides the Identity Servers rights over the policy branch. The Identity Servers require the ability to search, modify and delete objects in the Access System's policy branch to ensure referential integrity between the Identity and Access Systems. For example, suppose that you allow a user access to a particular resource in the Allow Access page of a policy in the Access System. If you delete the user from the Identity System, referential integrity ensures that the user is also deleted from the policies in the Access System.

If there is no directory profile that provides referential integrity between the Identity and Access Systems, you receive the "Unable to save. . ." error. If you receive this message, you have probably deleted or edited this profile.

F.1.4.2 Solution

Create another directory server profile with access to the policy branch of the directory.

F.1.5 Active Directory: Adding Members Causes the Group Size to Shrink

Adding users to static groups works properly only up to a point.

Problem

Continuing to add members to static groups causes the group size to shrink.

Solution

Change the value for the parameter maxForRangedMemberRetrieval in globalparams.xml to a number higher than the desired group membership size:

  • If you are using Active Directory on Windows 2003, set the parameter maxForRangedMemberRetrieval in globalparams.xml to 1500.

  • If you are using Active Directory on Windows 2000, set it to 1000.

F.1.6 ADSI Cannot Be Enabled for a Directory Profile

When using Active Directory, you can use the Identity System Console to change the directory profile for user data from ADSI to LDAP or LDAP to ADSI. However, you cannot do this for configuration or policy data.

F.1.6.1 Problem

When you attempt to change the directory profile for policy or configuration data from the Identity System Console, you get an error. For example, suppose that you store user data in an Active Directory forest using LDAP, and you store configuration and policy data in a different Active Directory forest using ADSI. If you use the Identity System Console to change the ADSI flag in the configuration data database profile to LDAP, after restarting the Oracle Access Manager servers and services, the ADSI flag remains enabled and the following message appears:

"ADSI can be enabled for either user or configuration DB Profile if they are in a separate forest. ADSI Cannot be Enabled for this DB Profile."

Any attempts to modify the directory profile for configuration or policy data to ADSI produces an error because Oracle Access Manager recognizes the profile as ADSI-enabled.

F.1.6.2 Solution

To modify the directory profile for configuration and policy data, rerun the setup program. See "Rerunning Setup Manually" for details.

F.1.7 Database Validation Fails

In the Identity System Console, when you attempt to save a new database instance for an RDBMS profile you may receive a "Database Validation failed" message.

F.1.7.1 Problem

This problem occurs when creating an RDBMS profile, as described in "Managing RDBMS Profiles". Usually, the problem arises because of an incorrect value for the SQLDBType parameter in the following file:

Component_install_dir/identity/apps/common/bin/globalparams.xml

Where component_install_dir is the location where the Identity Server was installed.

F.1.7.2 Solution

Set the value for the SQLDBType parameter as follows:

  • For an ODBC connection type, set the value to Oracle.

  • For an OCI connection type, set the value to Oracle_OCI.

  • For SQL Server database, set the value to SQLServer.

F.2 Other Problems and Solutions

This section describes common problems and solutions for components other than the directory and database. It contains the following topics:

F.2.1 Auditing for the Identity System Ceases to Work

When you configure auditing for multiple Read Application Cluster (RAC) databases, auditing may not work correctly for a while.

F.2.1.1 Problem

After shutting down and restarting a RAC instance other than the one that was shut down the last time, auditing stops.

F.2.1.2 Solution

Restart the Identity Server.

F.2.2 Identity Server Crashes if It Cannot Find a Stylesheet

After you customize a stylesheet, the Identity Server crashes or issues an error about a Win32 exception being caught.

F.2.2.1 Problem

You may have used backslash characters as path separators in your stylesheets in xsl:include constructs.

F.2.2.2 Solution

If you have used backslash characters as path separators in your stylesheets in xsl:include constructs, replace the backslashes with forward slash characters. For example, you would want to change the following:

<xsl:include href=".\style.xsl" /> To this:

<xsl:include href="./style.xsl" />

F.2.3 Identity System Deletes a User Entry When an RDN Is Modified

The Identity System deletes user entries when you attempt to modify an RDN attribute value. The RDN is the leftmost attribute in a DN. Typically, the RDN attribute is cn or Full Name.

F.2.3.1 Problem

This problem occurs when you use Oracle Internet Directory as the back-end repository. A referential integrity setting has not been configured for the Identity Server.

F.2.3.2 Solution

To fix this problem:

  1. Edit the file ldapreferentialintegrityparams.xml in the following directory:

    Identity_Server_installation_directory\identity\oblix\data\common

  2. Change the value of the parameter referential_integrity_using from oblix to ds, as follows:

    <NameValPair ParamName="referential_integrity_using" Value="ds"/>
    
    
  3. Save the file.

  4. Restart the Identity Server for the changes to take effect.

    You should be able to modify the RDN attribute value without any problem.

  5. If you have multiple instances of the Identity Server installed, make this change to every instance of the Identity Server.

F.2.4 JPEG Photo Images Are Not Updated

When attempting to modify a photo in an Identity application, JPEG photo images are not being updated.

F.2.4.1 Problem

This problem occurs when a user who has write permission to the Photo attribute does the following:

  1. Open the User Manager.

  2. View a user profile that contains a photo.

  3. Select Panel View.

  4. Try to upload a new photo.

Expected result: The photo is updated.

Actual result: The photo does not change.

F.2.4.2 Solution

Modify JPEG photo images in the page view.

F.2.5 Memory Usage Rises for an Identity Server After Configuring a Directory Server Profile

After configuring a directory server profile, the memory usage for the Identity Server becomes too high. Note that this problem can also apply to an Access Server or Policy Manager.

F.2.5.1 Problem

When you configure a directory server profile, you are prompted to provide a maximum session time. The default value for the session time is 0 (unlimited). This may cause a performance issue, because the size of the caches for LDAP connections to the Identity Server increase over time. Oracle Access Manager does not control these caches directly.

F.2.5.2 Solution

To prevent the cache size from causing a performance problem, set the value of the Maximum Session Time (Minutes) for the directory server profile to a finite value, for example, 10 hours, as follows:

  1. From the Identity System Console click System Configuration, then click Directory Profiles.

  2. Click the link for the profile that you want to modify.

  3. In the Max. Session Time (Min.) field, set the value to 600.

F.2.6 Pass Phrase for Simple Transport Security Has Been Lost

If you need to retrieve a Simple mode passphrase, perform the following steps:

  1. Locate the password.xml file in the following directory:

    webgate\access\oblix\config

    <?xml version="1.0"?>
    <ParamsCtlg xmlns="http://www.oblix.com" CtlgName="password">
    <ValNameList ListName="">
    <NameValPair ParamName="passwd" Value="0243454458404644514154475C"/>
    </ValNameList>
    </ParamsCtlg>
    
    
  2. Use obdecrypt.exe on the hash, for example:

    C:\Documents and Settings\Administrator>cd C:\1014\aaa\access\oblix\tools\ldap_tools
    C:\1014\aaa\access\oblix\tools\ldap_tools>obdecrypt 0243454458404644514154475C
    Input parameter = 0243454458404644514154475C Decoded output = passphrase
    

F.2.7 Performance of a Component Performance is Slow

The performance of the system or a particular component can be slower than you think it should be.

F.2.7.1 Problem

You need to determine where to add servers or what component should be tuned for performance.

F.2.7.2 Solution

Use the information logs to identify components that are processing a heavier load or are taking a particularly long time to service requests. See "Logging" for details. In particular, you may want to focus on call processing times. See "Logging the Amount of Time to Process Requests" for details.

F.2.8 Reports With Non-ASCII Characters Are Not Imported Correctly in Excel

After modifying and exporting object class attributes, a report.csv file is created. In some languages, the report may have encoding problems.

F.2.8.1 Problem

In the Japanese Locale or Simplified Chinese Locale, there are encoding problems due to a Microsoft Excel limitation that cannot process CSV files containing data in UTF-8 encoding.

F.2.8.2 Solution

To process the exported report, complete the process below.

  1. Rename report.csv to report.txt.

  2. Open report.txt Excel 2003 (Excel 2000 does not support UTF-8 encoding).

  3. In the text import wizard, choose encoding as UTF- 8 and comma as the field separator.

  4. Click Finish.

F.2.9 Simple Transport Security Mode Expires After One Year

The default value for validity period for Simple transport security mode certificates is 365 days.

F.2.9.1 Problem

When you configure transport security among Oracle Access Manager components, you can choose between Open, Simple, and Cert modes. See "Changing Transport Security Modes" for details.

By default, Simple mode is only operational for one year.

F.2.9.2 Solution

You can extend the life of the Simple mode certificate as follows. In the following procedure, update the configuration files get changed for all Identity Servers, Access Servers, WebPasses, and WebGates:

  1. Open the following files:

    component_install_dir/identity|access/oblix/tools/openssl/openssl_silent.cnf

    component_install_dir/identity|access/oblix/tools/openssl/openssl.cnf

    Where component_install_dir is the directory where the Access or Identity System component was installed.

  2. In these files, look for the parameter named default_days.

    By default, the value for this parameter is 365 days, as follows:

    default_days = 730 # Duration to certify for
    
    
  3. You can extend the life of the certificate by increasing the number of default days. available until expiration.

    Update both files with the same value for default days. For example, you can increase the life of the certificate to two years as follows:

    default_days = 730 # Duration for the certificate
    
    
  4. To regenerate the simple mode certificates with the duration you set in the openssl_silent.cnf and openssl.cnf files, reconfigure and restart the component using one of the following tools:

F.2.10 Stylesheet Validation Fails

When you create or customize a stylesheet using Presentation XML, the stylesheet has compilation errors.

F.2.10.1 Problem

This problem occurs when you do the following:

  1. Open a stylesheet in a text editor or (preferably) an XML editor.

  2. Change some parameters in the file and save the changes.

  3. Open an Identity application, for example, the User Manager, to see the changes.

Expected result: Changes appear as expected.

Actual result: The Identity System issues a bug report.

F.2.10.2 Solution

This problem can occur for any variety of reasons, but chances are good that there are errors in the way the stylesheet is coded.

Open the XSL file in an Internet Explorer window. If there is an error in the code, the browser will show the line number that contains the error. For more information on Presentation XML, see Oracle Access Manager Customization Guide.

F.2.11 User Creation Might Fail When You Have Multi-byte Charcters in the Password

Problem:

When you create a user with multi-byte charcters in the password using a non-English keyboard, user creation might fail. You might see the error: Directory Server Password Policy violated. -- true? I cannot get the picture from the ftp site.

Cause

This problem will occur when you have the 7-bit check plug-in enabled for the "uid" and "userpassword" attributes. In this case, modifying a password for an existing user forces the "7-bit check" for the newly entered password. If the newly entered password contains multi-byte characters, then it does not qualify as "7-bit clean". The product is designed to function in this way.

For example, when creating a workflow, the values are stored under the "obcontainerId=workflowInstances,o=Oblix,o=company,c=us" node. The password value is stored as "obattrvals: <value>" and is encoded as "7-bit clean" . When the Approver approves the workflow, the password value is decrypted and stored under the "userpassword" attribute.

Solution

If you want "7-bit check" to be enabled for workflow steps you need to write your own plug-ins.

Note:

Your directory server might not support the 7-bit check. In any case, you must be able to create a user with multi-byte characters.

If you want a user password (or any other attribute) to contain multi-byte characters, you must disable the "7-bit check" for the specific attribute. The following procedure refers to steps for a Sun (formerly iPlanet) directory server. Your details and steps might be different. See your vendor documentation for more information.

To disable the 7-bit check

  1. Log in to your directory server as an administrator.

  2. Click your directory server instance under "Server Group".

  3. Go to the configuration tab for the directory server instance.

  4. Expand the "Plug-ins" node to display the list of plug-ins that are applied to your directory server instances.

  5. Click "7-bit check" to display the list of attributes that are acted upon by this plug-in.

  6. Remove the required attributes or disable the plug-in entirely, as follows:

    • Remove "obattrvals".

    • Disable the plug-in by clicking the Advanced button and set "nsslapd-pluginenabled" to "off".

F.2.12 WebPass Is Unable to Connect to Its Associated Identity Server

If you have installed a WebPass on IIS 6 and enabled logging, the WebPass may be unable to connect to its associated Identity Server.

F.2.12.1 Problem

This problem occurs when you send logs to an MPFileLogWriter. It does not occur when you send logs to a FileLogWriter.

The problem occurs with the MPFileLogWriter when there is no anonymous user with access to the directory that contains the log files. MPFileLogWriter uses a file named logfile name.lck to synchronize multiple processes that write to the corresponding log file. The MPFileLogWriter write-locks the .lck file before writing to the oblog.log file.

F.2.12.2 Solution

Configure an anonymous user with access to the directory that contains the log files. In some circumstances, the user context used to acquire the write-lock will be the IIS Anonymous web user. By default, this user is named IUSR_<computer name>, but you can configure any anonymous user for this purpose.

F.3 Error Messages and Recommendations for Handling Them

The following are error messages and troubleshooting tips for handling them.

F.3.1 "Cannot Find xenroll.cab" Error Is Issued When Using a Workflow

When running a workflow, a user may receive a 404 error that states "Cannot find xenroll.cab."

F.3.1.1 Problem

This problem occurs when a user runs a workflow in an Identity System application, for example:

  1. Open the User Manager.

  2. View a user profile.

  3. Click a Modify button on the profile that invokes an Enroll Certificate Workflow.

In older versions of Oracle Access Manager, the file xenroll.cab was used for certificate enrollment workflows and certificate revocation workflows. However, Oracle has removed support for these workflows. This file is not used anymore.

F.3.1.2 Solution

You can safely remove the references to xenroll.cab from the stylesheet. The following is an example of this reference. See the Oracle Access Manager Customization Guide for details:

<head>
... <object id="cenroll" classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
codebase="/identity/oblix/apps/common/bin/xenroll.cab" />
... <script src="http://km.oraclecorp.com/identity/oblix/apps/common/bin/installCert.vbx" language="VBScript" />
</head>

F.3.2 "Enable Failed" Error Is Issued When Using a Workflow

The workflow fails when a user runs it.

F.3.2.1 Problem

This problem occurs when a user runs a workflow in an Identity System application, for example:

  1. Open the User Manager.

  2. View a user profile.

  3. Click a Modify button on the profile that invokes a Change Attribute Workflow.

Expected result: The workflow behaves as expected.

Actual result: The user receives an "Enabled failed" error.

F.3.2.2 Solution

There is no definitive solution to this problem, since workflow configuration can fail for a number of reasons. However, a likely candidate is selecting an invalid searchbase during workflow configuration. Delete the searchbase and re-configure the workflow. See "About the Searchbase" for details.

F.3.3 "There is No Profile Configured for This Kind of Object" Error Is Issued

You may receive this error when managing administrators in an environment that uses Oracle Internet Directory.

F.3.3.1 Problem

In Oracle Internet Directory, the orcladmin user (dn: cn=orcladmin) can be thought of as a pseudo user with administrative privileges. There is no LDAP entry corresponding to this user in Oracle Internet Directory. This user is part of special groups that are created in Oracle Internet Directory. The Identity Server requires that every user exist as an independent entry in the directory. When these special groups are viewed or modified using Group Manager, you may see the message, "There is no profile configured for this kind of object."

F.3.3.2 Solution

If you have this issue, view and update these special Oracle Internet Directory groups using the Oracle Directory Manager application.

Note that there are some special groups in Oracle Internet Directory that exhibit cyclic behavior. Using Oracle Directory Manager to manage these groups is recommended, not the Group Manager or the Identity Server.

F.3.4 "Warning: Page Has Expired" Error Is Issued

You may receive this error when clicking the Back button after conducting a search in an Identity System application.

F.3.4.1 Problem

By default, Identity System application pages are not cached as a security measure. Caching is disabled to prevent a user from clicking the Back button and seeing what the previously logged-in user was viewing. When caching is turned off, users receive a "page expired" error if they click the Back button from a search results page.

F.3.4.2 Solution

If you want to cache Identity System application pages, set the value of the parameter browserNoCache to false in the following file:

Identity_Server_install_dir/apps/common/bin/globalparams.xml

<SimpleList>
     <NameValPair ParamName="browserNoCache" Value="false"></NameValPair>
</SimpleList>

F.4 Capturing Diagnostic Information

As of Oracle Access Manager 10.1.4.2, the Access Server and Identity Server provide diagnostic tools to help you work with an Oracle Technical Support representative to troubleshoot problems.

These tools are not for day-to-day administration. Their purpose is to help you investigate problems that require assistance from Oracle Technical Support.

The diagnostic tools enable you to do the following:

The rest of this section discusses the following topics:

F.4.1 About Oracle Access Manager Diagnostics

You should only collect diagnostic data to analyze serious problems. In general, you would only run diagnostics when working with a Technical Support representative.

The diagnostic tools are installed with the Access Server and the Identity Server. The diagnostics can focus on three areas: caches, mutexes, and threads. For example, if a server has hung, you can collect diagnostic information on all of the mutexes to see if one has been locked. The diagnostic tool displays the returned data on-screen and saves the data in a file.

As a best practice, you should run the same diagnostics a few times to determine if a problem is temporary or persistent. For example, you can compare diagnotic output to see if memory or cache size is increasing.

F.4.2 Collecting Diagnostic Data

The following tools enable you to collect diagnostic data:

  • The tool aaa_mon.exe enables you to collect diagnostic data for the Access System.

  • The tool ois_mon.exe enables you to collect diagnostic data for the Identity System.

The following procedures describe how to use these tools. In the following procedures, a vertical bar ("|") represents a choice of command options.

Note:

Running the diagnostic tool produces overhead and can affect system performance. The more detail you request when running a diagnostic tool, the more memory is consumed.

For this reason, do not request detailed diagnostics for cache queries.

To view a list of supported diagnostic operations

  1. Navigate to the following directory:

    install_dir\identity|access\oblix\tools\ois_mon|aaa_mon

    Where install_dir is the directory where the Identity Server or Access Server is installed.

  2. Issue the following command:

    aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir  -m mode open|simple|cert -o optype=GetListofSupportedOperations
    
    

    Where:

    • Server is the name of the host machine where you want to collect the information.

    • Port is the listen port for the host.

    • Install_dir is the installation directory for the component being diagnosed.

    • On the -m parameter, specify open, simple, or cert for the transport security mode.

      See "Changing Transport Security Modes" for details. If you specify cert you must also specify the following parameter:

      -c path_for_certs
      
      

      Where path_for_certs is the fully qualified path to the certificate files.

To retrieve the name of a diagnostic object

  1. Navigate to the following directory:

    install_dir\identity|access\oblix\tools\ois_mon|aaa_mon

    Where install_dir is the directory where the Identity Server or Access Server is installed.

  2. To retrieve the names of all objects of a particular type, issue the following command, using one of the options separated by a vertical bar:

    aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir -m open|simple|cert 
    -o optype=GetDiagnosticInformation,object=cache|mutex|thread,mode=list
    
    

    Where:

    • Server is the name of the host machine where you want to collect the information.

    • Port is the listen port for the host.

    • Install_dir is the installation directory for the component being diagnosed.

    • On the -m parameter, specify open, simple, or cert for the transport security mode.

      See "Changing Transport Security Modes" for details. If you specify cert you must also specify the following parameter:

      -c path_for_certs
      
      

      Where path_for_certs is the fully qualified path to the certificate files.

    • The object parameter limits the results to a particular object type.

      By default, information is fetched for all diagnosable objects. The following are possible values:

      • cache: A cache can hold copies of recently accessed data in memory. A cache can also store data on disk to prevent the program from having to download the same information from the internet. Also see Table F-1 and Table F-2 for a list of cache names and a brief description of each cache.

      • mutex: A mutual exclusion object enables multiple program threads to share the same resource, although not at the same time. When a program is started, a mutex is created with a unique name.

      • thread: A program can split itself into two or more simultaneously running threads that run concurrently, each performing a different job.

To collect diagnostic information for a particular object

  1. Navigate to the following directory:

    install_dir\identity|access\oblix\tools\ois_mon|aaa_mon

    Where install_dir is the directory where the Identity Server or Access Server is installed.

  2. Issue the following command:

    aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir 
    -m open|simple|cert -o optype=GetDiagnosticInformation[, object=cache|mutex|thread, mode=brief|detail|list|usage, name=name]
    
    

    Where:

    • Server is the name of the host machine where you want to collect the information.

    • Port is the listen port for the host.

    • Install_dir is the installation directory for the component being diagnosed.

    • On the -m parameter, specify open, simple, or cert for the transport security mode.

      See "Changing Transport Security Modes" for details. If you specify cert you must also specify the following parameter:

      -c path_for_certs
      
      

      Where path_for_certs is the fully qualified path to the certificate files.

    • The optional object parameter for GetDiagnosticInformation limits the results to a particular object type.

      By default, information is fetched for all diagnosable objects. The following are possible values:

      • cache: A cache can hold copies of recently accessed data in memory. A cache can also store data on disk to prevent the program from having to download the same information from the internet.

      • mutex: A mutual exclusion object enables multiple program threads to share the same resource, although not at the same time. When a program is started, a mutex is created with a unique name.

      • thread: A program can split itself into two or more simultaneously running threads that run concurrently, each performing a different job.

    • The optional mode parameter for GetDiagnosticInformation determines the amount and type of detail returned.

      The following are possible values:

      • brief: Prints a summary of the diagnosable objects on the screen.

      • detail: Writes the the current values of all diagnosable objects of the specified type to a file in the following directory:

        install_dir\identity|access\oblix\tools\ois_mon|aaa_mon\OISDiag_datetime|AAADiag_datetime

        Where install_dir is the directory where the Identity Server or Access Server is installed and datetime is the date and time when the file was created.

        Do not specify detail mode for caches.

      • list: Shows a list of all diagnosable objects of the specified type.

      • usage: Displays help text for the diagnostics tool.

    • The optional name parameter for GetDiagnosticInformation limits the command output to a particular object.

F.4.3 Interpreting Diagnostic Output

You should only attempt to interpret diagnostic output when working with a Technical Support Representative. This section provides simple guidelines for how to read the diagnostic XML output file.

This section discusses the following topics:

F.4.3.1 Interpreting Diagnotic Output When the list Parameter Is Used

When you use the list parameter on a diagnostic command, the output is written to the screen and to the log file. The most important information is returned in the name element of the output file. Also see Table F-1 and Table F-2 for a list of cache names and a brief description of each cache.

The following command exerpt uses list mode to retrieve a list of cache names:

-o optype=GetDiagnosticInformation,mode=list,object=cache

Example F-1 shows output for the following diagnostic command excerpt.

Example F-1 Sample Output for a Diagnostic Command That Used list Mode

<?xml version="1.0" encoding="utf-8"?>
<DiagnosticReport>
    <Command>
        <CommandArg
            name="optype">
            <Value>GetDiagnosticInformation</Value>
        </CommandArg>
        <CommandArg
            name="mode">
            <Value>list</Value>
        </CommandArg>
        <CommandArg
            name="object">
            <Value>cache</Value>
        </CommandArg>
    </Command>
    <CommandOutput>
        <Objects>
            <Object
                type="cache">
                <Name>UidInfoCache</Name>
                <Name>PersonOOOIndicatorCache</Name>
                <Name>AuditCache</Name>
                <Name>AuditUserCache</Name>
                <Name>AuditMasterAuditPolicyCache</Name>
                <Name>AuditServerInfoCache</Name>
                <Name>WfDefCache</Name>
                <Name>WfDefSetCache</Name>
                <Name>xsllib_stylesheet</Name>
                <Name>PortalIdCache</Name>
            </Object>
        </Objects>
    </CommandOutput>
</DiagnosticReport>

F.4.3.2 Interpreting Diagnostic Output When the detail Parameter Is Used

When you use the detail parameter on the command to get diagnostic information, the output file contains information on the values set for the object, its current state, and multiple data points about its performance. Items of interest in the output file depend on the type of object. For example, with a cache object, you may be interested in the cache size and if the cache has been flushed.

In general, you should walk through detailed output with a support representative, who can interpret the meaning of the diagnostic.

Example F-2 shows the generic structure of an xml file that is generated using the list parameter:

Example F-2 Generic XML Output for a Diagnostic Using mode=detail or mode=brief

<?xml version="1.0" encoding="utf-8"?>
<DiagnosticReport>
  <Command type=CommandType1>
    <CommandArg name=Arg1>
      <Value>ArgValue1</Value>    
    </CommandArg>
    <CommandArg name=Arg2>
      <Value>ArgValue2-1</Value>
      <Value>ArgValue2-2</Value>
    </CommandArg>
  </Command>
  <CommandOutput>
    <Objects>
      <Object type=ObjectType1 name=ObjectName1>
        <Attribute name=Attribute1>
          <Value>Value1</Value> 
        </Attribute>
        <Attribute name=Arribute2>
          <Value> Value2-1</Value> 
          <Value> Value2-2</Value> 
          -----
        </Attribute>
      </Object>
      <Object type=ObjectType2 name=ObjectName2>
        <Attribute name=Attribute3>
          <Value>Value3</Value> 
        </Attribute>
        -----
        -----
      </Object>
      -----
      -----
    </Objects>
  <CommandOutput>
</DiagnosticReport>

For example, the following is a command excerpt for generating detailed diagnostic data:

. . . -o optype=GetDiagnosticInformation,mode=detail,object=cache,name=XSLXDKCache

The previous command excerpt produces the output in Example F-3:

Example F-3 Output for a Diagnostic Command Using mode=detail

<?xml version="1.0" encoding="utf-8" ?> 
<DiagnosticReport>
  <Command>
    <CommandArg name="optype">
      <Value>GetDiagnosticInformation</Value> 
    </CommandArg>
    <CommandArg name="mode">
      <Value>detail</Value> 
    </CommandArg>
    <CommandArg name="object">
      <Value>cache</Value> 
    </CommandArg>
    <CommandArg name="name">
      <Value>XSLXDKCache</Value> 
    </CommandArg>
  </Command>
  <CommandOutput>
    <Objects>
      <Object type="cache" name="XSLXDKCache">
        <Attribute name="state">
          <Value>active</Value> 
        </Attribute>
        <Attribute name="Maximum Elements">
          <Value>200</Value> 
        </Attribute>
        <Attribute name="Current Elements">
          <Value>11</Value> 
        </Attribute>
        <Attribute name="Timeout">
          <Value>0</Value> 
        </Attribute>
        <Attribute name="Hit Count">
          <Value>4</Value> 
        </Attribute>
        <Attribute name="Miss Count">
          <Value>11</Value> 
        </Attribute>
        <Attribute name="Expire Count">
          <Value>0</Value> 
        </Attribute>
        <Attribute name="Flush Count">
          <Value>0</Value> 
        </Attribute>
        <Attribute name="Memory footprint">
         <Value>945008</Value> 
        </Attribute>
        <Attribute name="keys">
          <Value>../../../lang/en-us/style0/predefinedreports.xsl</Value> 
          <Value>../../../lang/en-us/style0/reports.xsl</Value> 
          <Value>../../../lang/en-us/style0/usc_admin_main.xsl</Value> 
          <Value>../../../lang/en-us/style0/admin_wf_definition.xsl</Value> 
          <Value>../../../lang/en-us/style0/wf_quickstart_report.xsl</Value> 
          <Value>../../../lang/en-us/style0/reportresults.xsl</Value> 
          <Value>../../../lang/en-us/style0/usc_searchresults.xsl</Value> 
          <Value>../../../lang/en-us/style0/usc_profile.xsl</Value> 
          <Value>../../../lang/en-us/style0/login.xsl</Value> 
          <Value>../../../lang/en-us/style0/qbmodify.xsl</Value> 
          <Value>../../../lang/en-us/style0/wf_quickstart.xsl</Value> 
        </Attribute>
      </Object>
    </Objects>
  </CommandOutput>
</DiagnosticReport>

F.4.3.3 Interpreting the Diagnostic Data for Caches

An Oracle Technical Support representative can help you interpret diagnostic data. If you are running diagnostics for a cache, Table F-1 and Table F-2 can help you understand the diagnostic output.

Table F-1 Identity System Cache Names and Descriptions

Cache Name Description

UidInfoCache

Stores information on the structural object class for each user

PersonOOOIndicatorCache

Caches the out-of-office indicator of each user.

WfDefCache

This is a cache of all workflow definitions.

WfDefSetCache

This is a cache of all workflow definition of a particular type, for example, the create user type of workflow.

xsllib_stylesheet

This is not used in production environment.

PortalIdCache

This is not used in production environment.

AuditCache

This is a cache of the auditing configuration information for the server.

AuditUserCache

This is a cache of the User Manager audit policy.

AuditMasterAuditPolicy Cache

This is a cache of the master audit policy.

XMLStructureCache

This is a cache of the internal XML data structure that represents each page rendered on the browser.

XSLXDKCache

This cache contains the compiled form of each stylesheet (XSL) used in the Identity system.


Table F-2 Access System Cache Names and Descriptions

Cache Name Description

UserAccessCache

Used during the authorization phase of evaluation. Holds a hash table of rules and groups that the user satisfies.

AAASyncRequestCache

Used to maintain cache coherency in the Access System and to provide updates to Access clients.

AAAUserCache

Holds list of user profile attributes. Used in the Authenticate, IsAuthorized and Audit Event phases of request evaluation.

AAAUserCredCache

Holds user passwords. Used in the authentication phase of request evaluation to validate passwords.

AuditPolicyCache

Used during processing of an IsResrcProtected event to retrieve the audit mask. Also used during an audit event. Stores audit policies.

AuthentPluginCache

A wrapper for a custom authentication plug-in. Used during authentication.

AuthentSchemeCache

Used during processing of an IsResrcProtected event and the authentication phase of a resource request. Stores authentication scheme details.

AuthzDSOCache

A wrapper for a custom authorization plug-in. Used when processing IsAuthorized events.

AuthzRuleCache

Used when processing an IsAuthorized event to evaluate a user's permissions to access a resource and get action information. Stores policy details.

AuthzSchemeCache

Holds custom authorization scheme information. Used in processing an IsAuthorized event.

ClientConfigCache

Used when processing UpdateConfiguration requests from Access clients.

DomainPasswdPolicyID Mapper

Holds password policy IDs. Used when processing Authenticate events to retrieve password policy information.

GrpQueryCache

Holds a list of groups that the user belongs to. Used during evaluation of ObMyGroups.

HostIdHashString

Used when processing an IsResrcProtected event to find the matching policy. Stores host identifiers.

LPMPolicyCache

Used during the authenticate phase of evaluation to retrieve Lost Password Management policy information.

PSCGrpDefnCache

Holds nested groups and rules for dynamic groups.

PSCUid2OcCache

Used in the authorization phase of evaluation. Contains a hash table of rules and groups that the user satisfies.

PasswdPolicyCache

Used in the authentication phase of evaluation to retrieve password policy information.

PasswdPolicyUserCache

Used in the authentication phase of evaluation to retrieve password policy information.

PolicyCache

Used during the IsAuthorized phase of processing to evaluate access to a resource for user and retrieve action information. Stores policy rules.

SDCache

Used during the IsResrcProtected phase to find the matching policy and authentication scheme. Stores site domain objects.

SessionTokenCache

Stores the decrypted session token. Reduces overhead for decrypting the session token.

URLPrefixCache

Used to find which policy domain the resource maps to. Stores policy domain IDs.

WRORCache

Used when processing an IsResrcProtected event to find the authentication challenge scheme and authentication specifics. Stores authentication scheme details.

jobstatuscache

Holds the status of reporting jobs.


F.4.4 Automatically Writing Stack Traces to a Log File After a Core Dump

If Oracle Access Manager experiences a core dump, you can write a stack trace of the core dump to a log file. The stack trace lists the functions that were called immediately before the dump. The information in the trace can help with troubleshooting. For example, a stack trace can show if a thread has been mired in a process and is not receiving a response from a directory server, or if a message reader thread is alive.

You must enable logging if you want stack traces to be written to a log file. Any logging level is permitted when writing a stack trace. See "Logging" for details.

You can send the log file that contains the stack trace to Oracle Technical Support to help with diagnosing the core dump. The first three entries of the stack trace are always the same. These entries belong to the stack trace functionality. The fourth entry is the function that failed in the case of a core dump, or it was the last function that was executed by the thread at the time that you initiated the stack trace.

This information should only be interpreted by an Oracle Technical Support representative.

F.4.5 Manually Requesting a Stack Trace

The following procedure describes how to manually request a stack trace.

To manually request a stack trace

  1. Navigate to the following directory:

    install_dir\identity|access\oblix\tools\ois_mon|aaa_mon

    Where install_dir is the directory where the Identity Server or Access Server is installed.

  2. Issue the following command:

    aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir -m open|simple|cert -o optype=GenerateStackTrace
    
    

    Where a vertical bar ("|") represents a choice of commands, server is the name of the host machine where you want to collect the information, port is the listen port for the host, and install_dir is the installation directory for the component being diagnosed.

    On the -m parameter, specify open, simple, or cert for the transport security mode. See "Changing Transport Security Modes" for details. If you specify cert you must also specify the following parameter:

    -c path_for_certs
    
    

    Where path_for_certs is the fully qualified path to the certificate files.

  3. To view the results, open the log file for the server where the trace was run.

    See "Logging" for details.

F.5 Need More Help?

You can find more solutions on Oracle MetaLink, http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.