Oracle® Identity Management

Fixed Bugs and Workarounds

10g Release 3 Patch Set 1 (10.1.4.2)

E10972-01

October 2007

1 Introduction

These patch notes discuss the following topics:

2 What's New in Release 10.1.4.2 for Identity Management

This release contains enhancements and bug fixes for the following Identity Management products:


Note:

Release notes for Oracle Access Manager 10g Release 3 Patch Set 1 (10.1.4.2) are provided in a separate document.

3 Upgrading to Release 10.1.4.2

This section describes the requirements and procedures for performing the upgrade.

The following topics are discussed:

3.1 Required Software

You can apply this Oracle Identity Management 10g Release 3 Patch Set 1 (10.1.4.2) only to Oracle Identity Management 10g (10.1.4.0.1) product instances. If you have an earlier product instance, you must upgrade to Release 3 (10.1.4.0.1) before applying this patch set.Do not perform a fresh installation or an in-place upgrade of earlier Oracle Identity Management components using these patch set packages.Oracle Identity Management 10g Release 3 Patch Set 1 (10.1.4.2) is supported on the following operating systems:

  • Linux x86

  • Microsoft Windows (32-bit)


Note:

Do not perform a fresh installation or an in-place upgrade of earlier Oracle Identity Management components using the Oracle Identity Management 10g Release 3 Patch Set 1 (10.1.4.2) patch set packages.

3.2 Pre-Installation Requirements

The following are pre-installation requirements for this patch set:

  • Ensure that the system configuration meets the recommendations described in the installation guide and other manuals.

  • Do not remove currently installed patch sets or PSE Hotfixes before applying this patch set.

    You do not need to remove installed Oracle Identity Management 10.1.4.2.0 patch sets.

  • When applying the patch, use the same login credentials that you used for installation of the products.

    Using different credentials can result in unexpected behavior, for example, several error messages can be displayed.

  • Make a backup before applying the patch.


Notes:

After this patch is installed, you cannot back it out. There is no rollback.

This patch overwrites the properties and map files in Oracle_Home/ldap/odi/conf. At minimum, you may want to restore these properties after applying the patch.


3.3 Downloading and Applying the Patch Set

You should increase the timeout values for various components to prevent any timeout issues while applying the patch. After increasing the timeout values, you can download and install the patch.

The rest of this section discusses the following topics:

To increase the component timeout values

  1. Open the file Oracle_Home/opmn/conf/opmn.xml in an editor and increase the timeouts as follows:

      "HTTP_Server"(<start timeout="900" retry="3"/>
                   <stop timeout="300"/>
                   <restart timeout="900"/>
    
      "OC4J_SECURITY"( <start timeout="2000" retry="2"/>
                   <stop timeout="120"/>
                   <restart timeout="720" retry="2"/>
    
      "oca"(<start timeout="1800" retry="2"/>
                   <stop timeout="120"/>
                   <restart timeout="720" retry="2"/>
    
      "dcm-daemon"( <start timeout="3600" retry="3"/>
                   <stop timeout="3600"/><restart timeout="3600"/>
    

    The following file fragments are provided as a guide for specifying these parameters:

    HTTP_Server example:
             <ias-component id="HTTP_Server">
                <process-type id="HTTP_Server" module-id="OHS">
                   <environment>
                      <variable id="PERL5LIB" value="C:\oracle\as1041\Apache\Apache\mod_perl\site\5.6.1
    lib"/>
                      <variable id="PHPRC" value="C:\oracle\as1041\Apache\Apache\conf"/>
                   </environment>
                   <module-data>
                      <category id="start-parameters">
                         <data id="start-mode" value="ssl-disabled"/>
                      </category>
                   </module-data>
                   <start timeout="900" retry="3"/>
                   <stop timeout="300"/>
                   <restart timeout="900"/>
                   <process-set id="HTTP_Server" numprocs="1"/>
                </process-type>
             </ias-component>
    -------------------------------------------------------------------------------
    OC4J_SECURITY example:
             <ias-component id="OC4J">
                <dependencies>
                   <OID infrastructure="true"/>
                </dependencies>
                <process-type id="OC4J_SECURITY" module-id="OC4J">
                   <module-data>
                      <category id="start-parameters">
                         <data id="java-options" value="-Xrs -server -Djava.security.policy=$ORACLE_HOME
    /j2ee/home/config/java2.policy -Djava.awt.headless=true"/>
                      </category>
                      <category id="stop-parameters">
                         <data id="java-options" value="-Djava.security.policy=$ORACLE_HOME/j2ee/home/co
    nfig/java2.policy -Djava.awt.headless=true"/>
                      </category>
                   </module-data>
                   <start timeout="2000" retry="2"/>
                   <stop timeout="120"/>
                   <restart timeout="720" retry="2"/>
    -------------------------------------------------------------------------------
    oca example:
                <process-type id="oca" module-id="OC4J">
                   <module-data>
                      <category id="start-parameters">
                         <data id="java-options" value="-server -Djava.security.pol>
                         <data id="oc4j-options" value="-properties"/>
                      </category>
                      <category id="stop-parameters">
                         <data id="java-options" value="-Djava.security.policy=/u01>
                      </category>
                   </module-data>
                   <start timeout="900" retry="2"/>
                   <stop timeout="120"/>
                   <restart timeout="720" retry="2"/>
                   <port id="ajp" range="12501-12600"/>
    -------------------------------------------------------------------------------
    dcm-daemon example:
             <ias-component id="dcm-daemon" status="enabled"
                <process-type id="dcm-daemon" module-id="DCMD
                   <start timeout="3600" retry="3"/>
                   <stop timeout="3600"/>
                   <restart timeout="3600"/>
                   <process-set id="dcm" numprocs="1">
    -------------------------------------------------------------------------------
    
  2. Enter the following command:

    opmnctl validate
    
  3. Enter the following command:

    dcmctl updateconfig
    
  4. Stop all components using opmnctl, as follows:

    opmnctl stopall
    
  5. Restart the components, as follows:

    opmnctl startall
    

To download and store the patch set components

  1. Go to Oracle MetaLink at the following URL:

    http://metalink.oracle.com

  2. Log in.

  3. Click Patches & Updates.

  4. Click Quick Links to the Latest Patchsets, Mini Packs, and Maintenance Packs.

  5. Click the patch number for this Oracle Identity Management patch release (5983637).

  6. Click Download.

  7. In the directory where you stored the downloaded zip files, unzip and extract all of the files to a new temporary platform-specific directory, similar to one of the following:

    • 10.1.4.2.0_tmp_linux

    • 10.1.4.2.0_tmp_win32x

    There is one patch set file for each platform. Each zip file, when unzipped, is an Oracle shiphome that contains all of the information required to patch the Oracle Identity Management products.

  8. Repeat the steps above for each platform-specific bundle that you need.

To apply the patch set to the 10g (10.1.4.0.1) Identity Management products on all platforms

  1. Review "Required Software".

  2. Complete all activities in "Pre-Installation Requirements".

  3. Download and unzip the patch set files, as described in "To download and store the patch set components".

  4. Stop the products you are patching.

  5. Back up the installation directory for each product that you are patching, and move the backup directory to another location.

    Record the backup location so you can locate it later, if needed.

    Note that this patch overwrites the Oracle Directory Integration Platform properties and map files in Oracle_Home/ldap/odi/conf. At minimum, you may want to restore these properties after applying the patch.

  6. Restart the component.

    For Oracle Internet Directory, perform the restart using the opmnctl command. If Oracle Internet Directory processes are started manually using oidctl and oidmon, the Oracle Internet Directory Configuration Assistant fails.

  7. In the unzipped patch directory, navigate to Disk1, and run the patch installation program, as follows:

    ./runInstaller
    
  8. Repeat this procedure for each each platform-specific instance that you need.

  9. When you are done, restart Enterprise Manager.

    See the Oracle Application Server Administrator's Guide, "A.1 Starting and Stopping the Application Server Control" for details.


    Note:

    The status of the patched components may be incorrectly displayed in the Enterprise Manager Application Server Control immediately after applying the patch. After restarting AS Control, the status is displayed correctly.

3.4 A Note on Oracle Directory Integration Platform Startup After Upgrading

In this patch set release, Oracle Directory Integration Platform introduces the concept of profile groups and has modified the notion of configset. This has an impact on the Oracle Directory Integration Platform startup command.

Prior to 10.1.4.2, a configset contained two kinds of configuration information:

  • Configuration information for the Oracle Directory Integration Platform Server, indicating the refresh interval, the maximum number of profiles that can be scheduled, debug level, and so on

  • A list of profiles that are to be scheduled during its execution.

This release introduces profile groups. Profile groups consist of all the profiles that are to be scheduled by a specific instance of the Oracle Directory Integration Platform Server. The configset contains only the server configuration specific parameters, for example, refresh interval, maximum number profiles, and so on. When starting the Oracle Directory Integration Platform server you need to specify a configset number and a profile groupname as input parameters.

When upgrading to this release, for each configset that contained the configuration parameters and list of profiles, the upgrade creates a group with the same name as that of the original configset and associates profiles that were previously associated with the configset to the group. For instance, if you had a configset named configset1 with all the Oracle Directory Integration Platform configuration parameters, after completing the upgrade you have a configset named configset1 that contains server-specific parameters and a group named configset1 that contains all the profile groups.

For example, suppose that prior to 10.1.4.2 your startup command was as follows:

oidctl server=odisrv instance=instanceNumber configset=1 flags ="port=oidport host=oidhost debug=debuglevel" start

After upgrading to this patch release, you can start up the server as follows:

oidctl server=odisrv instance=instanceNumber configset=1 flags ="port=oidport host=oidhost grpid=configset1 debug=debuglevel" start

Note that the configset number that was used prior to 10.1.4.2 is used as a groupname. If it is confusing to use this groupname (in this example, configset1), you can use dipassistant –gui, group management to rename the group.

If you have used DIPAssistant and renamed the group, for example, if you have renamed configset1 to group1, you would modify the startup script as follows:

Oidctl server=odisrv instance=instanceNumber configset=configsetnumber flags ="port=oidport host=oidhost grpid=group1 debug=debuglevel" start

3.5 Issues Related to Applying this Patch

You can encounter the following issues when applying this patch:

  • You can encounter an "emagent.java not shut down" error.

    See "To respond to the "emagent.java not running" error" for details. Note that for other "Processes not running in oracle_home" pop-ups, you can work around the problem by waiting a few minutes for the processes to stop.

  • In the Oracle Application Server Upgrade and Compatibility Guide 10g (10.1.4.0.1) for UNIX, Appendix B, "Upgrading High Availability Configurations," you can encounter issues when following the procedure in section B.5.4, "Task 4: Upgrade the First OracleAS Identity Management Instance."

    Oracle recommends that you remove the second Oracle Application Server Single Sign-On or Oracle Delegated Administration Services instance from the DCM cluster before applying the first Identity Management patch. You can perform a join cluster operation to join these instances after applying the second patch, as described in the procedure, "To upgrade a Single Sign-On or Oracle Delegated Administration Services cluster".

  • You can encounter an error similar to the following when upgrading on a Unix system:

    /usr/bin/diff: /etc/localtime: No such file or directory
    

    The patch installation program can hang when it is run on Unix if the /etc/localtime file is missing. To work around this problem, create a symbolic link by running the example command below:

    ln -s /usr/share/zoneinfo/US/Pacific/etc/localtime
    
  • If you are installing multiple components on a Windows computer and a configuration assistant fails because it cannot connect to Oracle Internet Directory, click Retry on the Oracle Universal Installer screen.

To upgrade a Single Sign-On or Oracle Delegated Administration Services cluster

  1. Install the first Metadata Repository, version 10.1.4.0.1 for the Identity Management components.

  2. Install the first collocated Identity Management instance for high availability.

  3. Install the second collocated Identity Management instance for high availability.

  4. Patch the instance installed in step 1.

  5. Issue the following command:

     $ ~/11g/collocated1/dcm/bin/dcmctl listInstances -cl collocated
    

    The command output is similar to the following:

    1
    Instance name: collocated1.myserver1.us.mycompany.com
    Cluster:       collocated
    Hostname:      myserver1.us.mycompany.com
    Oracle Home:   /scratch/aime1/11g/collocated1
    2
    Instance name: collocated2.myserver2.us.mycompany.com
    Cluster:       collocated
    Hostname:      myserver2.us.mycompany.com
    Oracle Home:   /scratch/aime1/11g/collocated2
    

    Where ORACLE_HOME is the Identity Management instance installed in step 2.

  6. Ensure that the dcm-daemon is alive in both the Single Sign-On and Oracle Delegated Administration Services instances.

  7. Enter the following command:

    ORACLE_HOME/dcm/bin/dcmctl leavecluster -i collocated2.stahx02-2.us.oracle.com
    

    Note that after running the leavecluster command, the second instance is not shown, as follows:

    ~/11g/collocated1/dcm/bin/dcmctl listInstances -cl collocated
    
    1
    Instance name: collocated1.myserver1.us.mycompany.com
    Cluster:       collocated
    Hostname:      myserver1.us.mycompany.com
    Oracle Home:   /scratch/aime1/11g/collocated1
    
  8. Stop the second Identity Management instance, and patch the first Identity Management instance to 10.1.4.2.

    Note that you can encounter an error while applying the patch. See "To respond to the "emagent.java not running" error" for details.

  9. Patch the second Identity Management instance.

  10. Join the second cluster to the farm, as follows:

    ~/11g/collocated2/dcm/bin/dcmctl joincluster  -cl collocated -i collocated2.myserver2.us.mycompany.com
    
    1
    Instance name: collocated1.myserver1.us.mycompany.com
    Cluster:       collocated
    Hostname:      myserver1.us.mycompany.com
    Oracle Home:   /scratch/aime1/11g/collocated1
    2
    Instance name: collocated2.myserver2.us.mycompany.com
    Cluster:       collocated
    Hostname:      myserver2.us.mycompany.com
    Oracle Home:   /scratch/aime1/11g/collocated2
    

To respond to the "emagent.java not running" error

  1. While applying the 10.1.4.2 patch, a pop-up may appear in the Enter Metadata Repository SYS password screen, as follows:

    OUI has detected that there are processes running in the currently selected
    Oracle Home. The following processes need to be shutdown before
    continuing:emagent.java
    
  2. To respond to the error, enter the one of the following commands from the ORACLE_HOME.

    On Linux, enter the following:

    Oracle_Home>setenv ORACLE_HOME $PWD
    Oracle_Home>setenv ORACLE_SID SID
    Oracle_Home/bin>emctl stop dbconsole
    

    On Windows NT, enter the following:

    set ORACLE_HOME=<path for Oracle_Home>
    set ORACLE_SID=<SID>
    Oracle_Home/bin>emctl stop dbconsole
    

4 Patch Notes for Oracle Internet Directory

The following sections discuss issues that are resolved in this release and workarounds for known issues for Oracle Internet Directory.

4.1 Administration Issues and Workarounds for Oracle Internet Directory

Table 2 shows Oracle Internet Directory administration issues and workarounds in 10g Release 3 Patch Set 1 (10.1.4.2):

Table 1 Administration Issues and Workarounds for Oracle Internet Directory

Bug Description

6159839

When running any Oracle Internet Directory tool on a host that has multiple Oracle_Home directories, be sure that the following is the first entry in the PATH:

Oracle_Home/bin


4.2 Resolved Issues for Oracle Internet Directory

Table 2 shows Oracle Internet Directory issues that have been resolved in 10g Release 3 Patch Set 1 (10.1.4.2):

Table 2 Resolved Issues for Oracle Internet Directory

Bug Description

6355927

EUS 9i did not support the custom controls provided in Oracle Internet Directory that allow client applications to determine the status of an account in Oracle Internet Directory, for example, expired, locked out, and so on. This enabled users with locked out or expired accounts in Oracle Internet Directory to still be able to log in via EUS.

This problem has been fixed in the current release. See Metalink note 459772.1 at the following URL for details:

https://metalink.oracle.com

6328673, 6323774

The OIDDIAG tool issues an "oidldapd: not found" error when you attempt to run the tool.

This error occurs because the tool is unable to retrieve the correct version number for Oracle Internet Directory.

This problem has been fixed in the current release. The diagnostics tool is able to find the correct version number for Oracle Internet Directory.

6116941

After running Oracle Internet Directory for an extended period, you may receive an error similar to the following:

BEGIN
2007/06/05:07:19:17 * ServerWorker (REG):12
ConnID:1371 * mesgID:34 * OpID:33 * OpName:search
ConnIP:140.87.218.25
ConnDN: cn=opnoidadmin,dc=oracle,dc=com
ERROR gsleswrrwRawWrite:Reached maxretry count(11) for conndn=cn=xxx,dc=yyy,dc=com, IPaddress=111.22.233.44 not responding
END

After receiving this error, it may recur after only a few minutes.

This problem has been fixed in the current release. The maximum retry count is now reset, which prevents this error.

6159835, 6112957

The entry cache is unable to free memory for new entries. The oidldapd log file shows the error message, "Entry cache is full, could not free up size xxx."This problem has been fixed in the current release.

6042473, 5643195

Several fixes and enhancements have been added to support chaining with Microsoft Active Directory (AD). See Metalink article 452381.1 for details at the following URL:

https://metalink.oracle.com/

This note describes support that has been added for server chaining to Microsoft Active Directory, including options to control the naming attribute to use for user entries, the method for complex mappings of user and group structures, and simulation of the orcluserv2 object class for user entries.

Note that support has also been added for using SSL when connecting to an external directory. See the Metalink note referenced above for details.

Metalink note 452381.1 also describes using Enterprise User Security (EUS) with Oracle Internet Directory server chaining:

This section of the note describes how to install a plug-in in the Active Directory server so that the hash password is available to users accessed via Oracle Internet Directory. You must have a hash password to authenticate users.

5958222

The replication process is unable to read the source data, and as a result it crashes.

This problem has been fixed in the current release. The replication tool no longer tries to use a NULL mods structure.

5890534

When running Oracle Internet Directory on a multiple-CPU machine, bulk load operations can hang.

This problem has been fixed in the current release.

5890157

The log files for the Oracle Internet Directory server display invalid time stamps.

This problem has been fixed in the current release.

5770375

LDAPSEARCH plug-in operations are not performed during one-level and subtree searches.

When you configure a PRE plug-in, the attribute orclPluginSearchNotFound ensures that the plug-in is invoked only if the searched entry is not found in Oracle Internet Directory. However, this attribute is ignored when one-level and subtree searches are performed.

This problem has been fixed in the current release. One-level and subtree searches are supported for plug-ins.

5629715

The following exception is thrown when trying to establish an SSL connection from a Java plug-in:

java.lang.ClassNotFoundException: oracle/ldap/util/jndi/LDAPJSSESocketFactory

This problem has been fixed in the current release.

5560388

When installing LDAP replication, if you provide a SID using uppercase characters, the installation fails. The problem occurs because the wallet is assigned the uppercase SID in the file name, but the replication server searches for a lowercase wallet filename.

This problem has been fixed in the current release.

5486719

LDAPSEARCH fails to return the correct entries on some searches where you use a less-than-or-equal-to operator.

If you issue an ldapsearch command using an indexed attribute with an EQUALITY integerMatch SYNTAX matching rule, the search returns incorrect results.

For example, the following searches do not return any results:

ldapsearch -h urukai -p 389 -D "cn=admin" -w <pwd> -s sub -b "cn=Users, dc=us,dc=mycompany,dc=com" "test2 <= 5" dn

ldapsearch -h urukai -p 389 -D "cn=admin" -w <pwd> -s sub -b "cn=Users,dc=us,dc=mycompany,dc=com" "test2 <= 6" dn

This problem has been fixed in the current release.

5439667

OIDLDAPD may stop and restart frequently when Oracle Internet Directory receives a filter that is larger than 12k.

A new, configurable parameter orclmaxfiltsize controls the maximum filter size. Internal buffers are allocated based on this size. Any filter that is longer than the configured length is rejected and a "DSA Unwilling to Perform" error is displayed on the client.

5406780

If oidcmprec tool requests an entry from Oracle Internet Directory, if Oracle Internet Directory does not return the entry, the oidcmprec tool crashes.This problem has been fixed in the current release.


4.3 Documentation Issues for Oracle Internet Directory

Table 3 shows Oracle Internet Directory issues that have been resolved in 10g Release 3 Patch Set 1 (10.1.4.2):

Table 3 Documentation Issues for Oracle Internet Directory

Bug Description

6505741

In the Oracle Fusion Middleware User Reference for Oracle Identity and Access Management Suite, the section on arguments for oidctl (2.3.2) states the following:

configset = configuration_set_number | server_configuration_group_number

This can be interpreted as configset=0 or configset=defaultgroup. However, the oidctl parameter for configset can only be numeric.

In the section on odisrv Flags (2.3.2.2), the following information is provided:

"grpID=connector_group_identifier: Optional. A unique identifier that represents the connector group with which the profile is associated. This flag is not available if a value of OIDLDAPD is assigned to the server argument."

This paragraph should instead state the following:

"This flag is only applicable when starting the OIDSRV synchronization process, that is, the SERVER argument is odisrv. "

6501791

In the Oracle Fusion Middleware User Reference for Oracle Identity and Access Management Suite, the section on arguments for odisrv, the Debug Flags show the flags for the oidldapd server instead of the odisrv. The correct value should between 0 and 63.

6367644

The 10.1.4 Oracle Internet Directory Administrators Guide, Chapter 12, "Referential Integrity," includes the following statement under Step 7 of "Configuring and Enabling Referential Integrity":

"Each time you run oidrimdx.pls, quickly disable and then enable the entry cache, as follows. . ."

Actually, the entry cache is implicitly disabled whenever more than one LDAP server process is configured. Do not disable and then enable the entry cache in an environment with more than one LDAP server process configured.

6316385

The section, "Privacy of Retrieved Sensitive Attributes" in Chapter 16, "Directory Security Concepts" of the Oracle Internet Directory Administrators Guide needs to state that OC4J_SECURITY cannot be started if orcldataprivacymode is set to 1.


5 Patch Notes for Oracle Delegated Administration Services

The following sections discuss issues that are resolved in this release and workarounds for known issues for Oracle Delegated Administration Services.

5.1 Resolved Issues for Oracle Delegated Administration Services

Table 4 shows Oracle Directory Integration Platform issues that have been resolved in 10g Release 3 Patch Set 1 (10.1.4.2):

Table 4 Resolved Issues for Oracle Delegated Administration Services

Bug Description

5623942

Users who are assigned the edit user privilege cannot see certain roles.

5462488

Oracle Collaboration Suite Web mail contacts can be added for both single and multi-level domain e-mail addresses.

5386748

Users without appropriate privileges can perform configuration operations.


5.2 Known Issues and Workarounds for Oracle Delegated Administration Services

Table 5 shows known issues and workarounds for Oracle Directory Integration Platform in 10g Release 3 Patch Set 1 (10.1.4.2):

Table 5 Known Issues and Workarounds for Oracle Delegated Administration Services

Bug Description

6456923

When invoking the online help for Oracle Delegated Administration Services on Windows, you might receive the following error message:

OHW configuration file error detected. Please contact the system administrator.

To eliminate this error, restart the application server using opmn.


6 Patch Notes for Oracle Directory Integration Platform

The following sections discuss issues that are resolved in this release and workarounds for known issues for Oracle Directory Integration Platform.

6.1 Administration Issues and Workarounds for Oracle Directory Integration Platform

Table 6 lists administrative issues and workarounds for Oracle Directory Integration Platform.

Table 6 Oracle Directory Integration Platform Administrative Issues and Workarounds

Bug Description

6456256

When Oracle Directory Integration Platform is connected to eDirectory or Open LDAP and you create a new profile, the Create New page does not contain the Reconcile Details that are required for these directories.

The workaround is to use the LDAP Connector Express Setup when creating a profile when connected to eDirectory or Open LDAP. This feature has the values required for reconcilation.

6454969

When using Connector Express to create an export or import profile, the default synchronization mode is Target->OID. This can cause you to inadvertently configure an import profile when you intended to configure an export profile. Even though Export Profile field is the first field on this page, and the Synchronization Mode field is a later selection on the same page, you must select the synchronization mode before selecting an export profile.

If you select the export profile before the synchronization mode, mapping rules are created for importing.

6326863

Modification of source attribute rules is not supported. The Mapping tab of the Integration Profile dialog box allows you to add or edit integration profile attribute rules by clicking the Add or Edit buttons, which displays the Attribute Rule window. If you attempt to edit a source rule attribute in the Attribute Rule window, you will receive an error that says: "An internal error has occurred". The same error will also occur if you click the Add button in the Attribute Rule window, and then click the Edit button in the Select Source Attributes window.

6326181

Enterprise Manager 10g Application Server Control shows the Oracle directory integration platform server as down when it is actually running. This problem can occur when using a long host name. To resolve this issue, perform the following steps to modify the targets.xml file so it uses a short host name instead of a long host name:

  1. Back up the $ORACLE_HOME/sysman/emd/targets.xml file, and then open it in a text editor.

  2. Locate the following elements:

    <Target TYPE="server_type" NAME="server_name"
     DISPLAY_NAME="display_name">...
            <Property NAME="host"
     VALUE="server.domain.domain_identifier"/>
    
  3. Remove the domain and domain identifier from the value portion of the <Property> element as follows:

    <Target TYPE="server_type" NAME="server_name"
     DISPLAY_NAME="display_name">...
            <Property NAME="host"
     VALUE=""server/>
    
  4. Restart the Enterprise Manager 10g Application Server Control.


6.2 Configuration Issues and Workarounds

Table 7 lists configuration issues and workarounds for Oracle Directory Integration Platform.

Table 7 Oracle Directory Integration Platform Configuration Issues and Workarounds

Bug Description

6457304

The default profile named ActiveImport that is installed with Oracle Directory Integration Platform uses the DirSync change tracking approach to import changes from Active Directory into Oracle Internet Directory. If the ActiveImport profile import profile is also used for bootstrapping, you may experience a significant delay when updating the profile's last change number.

6454835

When creating an OpenLDAP export profile, you can encounter the following error:

an INternal error has occurred oracle.ldap.admin.common.PropertyException.

This problem occurs when using the Create Like operation in the Connector Profile Management page to create an OpenLDAP export profile. After you configure the General tab and select the Mapping tab, this error appears when you click Edit.

This problem does not occur when using LDAP Express Setup.

There is a workaround for this issue. See "Details for OpenLDAP Export Profile Issue" for details.

6454115

When starting the graphical Oracle Directory Integration Platform administration console on Windows using the Start menu, the application hangs when you perform the following steps:

  1. Click Start, then All Programs, then Oracle Installation Home xx, then Integrated Management Tools, then Directory Integration and Provisioning Server Administration.

  2. Create a profile using the Connector Express tool.

  3. Select Configure External Authentication Plugin.

This problem does not occur when starting the graphical console using the command line.

The following is the workaround for this issue:

  1. Click Start, then All Programs, then Oracle Installation Home xx, then Integrated Management Tools, then Directory Integration and Provisioning Server Administration.

  2. Right-click and select Properties.

  3. In the Shortcut tab, change the target value to the following:

    Oracle_Home\bin\dipassistant.bat -gui

    Where Oracle_Home is the directory on your computer where Oracle Directory Integration Platform is installed.

6441750

When creating a profile using dipassistant, you can encounter an issue, as follows:

  1. Launch dipassistant.

  2. Create a profile.

  3. Go to the mapping tab and select a pre-polulated mapping rule, for example:

    %userbase%:%userbase%

  4. Click Edit.

  5. When you attempt to select the destination and source nodes, there should be drop-down lists for these choices, however, there are none.

This problem occurs when you edit the pre-populated domain rule:

%userbase%:%userbase%

The workaround for this issue is to delete this rule and add a new rule.

6326181

The 10g Release 3 Patch Set 1 (10.1.4.2) patch fails when applied to an Oracle Directory Integration Platform-only installation. To resolve this issue, perform the following steps to disable Oracle Internet Directory in the opmn.xml file:

  1. Run the $ORACLE_HOME/opmn/bin/opmnctl stopall command.

  2. Open the $ORACLE_HOME/opmn/conf/opmn.xml file in a text editor.

  3. Locate the following element:

    <ias-component id="OID" status="enabled">
    
  4. Change the value assigned to the status attribute to "disabled", as follows:

    <ias-component id="OID" status="disabled">
    
  5. Run the $ORACLE_HOME/opmn/bin/opmnctl startall command.

6404359

Manually creating a configuration set beneath the cn=OracleContext container causes an error. To resolve this issue, use the Oracle Directory Integration Server Administration tool to create the configuration set.


6.2.1 Details for OpenLDAP Export Profile Issue

The explanation and workaround for this issue is as follows. Specific profiles were created during installation of 10.1.4.0, for example, OpenLDAPExport and eDirectoryImport. When upgrading to 10.1.4.2, these profiles are copied to a new group. To create a profile using the Create Like operation for OpenLDAPExport under Connector Profile Management, update the Directory Type to OpenLDAP from NONLDAP.

To update the profile:

  1. Create ldif file similar to the following using your own Profile Name:

    dn: orclodipagentname=<Profile Name>,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
    changetype: modify
    replace:orclodipcondirtype
    orclodipcondirtype: <Directory Type>
    

    The following is an example:

    dn: orclodipagentname=OpenLdapExport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
    changetype: modify
    replace:orclodipcondirtype
    orclodipcondirtype: OpenLdap
    
  2. Issue the ldapmodify command to update the profile using the LDIF file.

6.3 Resolved Issues for Oracle Directory Integration Platform

Table 8 shows Oracle Directory Integration Platform issues that have been resolved in 10g Release 3 Patch Set 1 (10.1.4.2):

Table 8 Oracle Directory Integration Platform Resolved Issues

Bug Description

5705503

SearchDeltaSize ignored during syncronization.

5687946

Entries that contain the userpassword attribute are not synchronized.

5632861

DIP_GEN_CREATECHG_EXCEPTION thrown when a source contains more than ten object classes.

5600872

Deletions are not synchronized when a domain editing rule is defined.

5497683

ClassCastException thrown when synchronizing entries with special UTF8 characters.

5402547

Groups are not synchronized for OpenLDAP express configuration profiles.

5368161

NullPointerException thrown when connstr parameter is not provided during Directory Integration Platform upgrades.

5346578

MODRDN events not propogated on Windows platforms.


7 Patch Notes for OracleAS Single Sign-On

The following sections discuss issues that are resolved in this release and workarounds for known issues for OracleAS Single Sign-On.

7.1 General Issues and Workarounds for OracleAS Single Sign-On

Table 9 shows known issues and workarounds for general operations.

Table 9 General Issues and Workarounds for OracleAS Single Sign-On

Bug Description

6204882

Users can receive errors when logging into /pls/orasso or /oiddas after a database shutdown and restart. This problem can occur in a high availability topology, where all component hosts use Windows and communicate using SSL. You may also see this error when working in other modes, for example, non-SSL or SSL Accelerator mode.

The workaround for this issue is to bounce all processes after the database shutdown and restart, and to restart the middle tier to refresh the middle tier connections.

4043807

If you have configured multi-domain single sign-on, global logout may not work correctly if the user's browser is Firefox 1.0, 1.5 or 1.x and the "Enable cookies for the originating website only" Privacy option is set. In this situation, when the user logs out of a partner application and initiates global logout, the partner application cookies are not deleted.For example, if multi-domain single sign-on has been configured for partner applications on domain.com and the infrastructure (Oracle Application Server Single Sign-On) on subdomain.domain.com, and the user logs out of the application on domain.com, single sign-on logout appears to have worked. However, the user can still access a protected application on domain.com during the same session.This is a known limitation for Firefox 1.x. This problem is not applicable to Firefox versions 2.x. Users with 1.x browsers are advised to close the browser after logout.


7.2 Administration Issues and Workarounds for OracleAS Single Sign-On

Table 10 describes administration issues and workarounds.

Table 10 Administration Issues and Workarounds for Oracle Identity Federation

Bug Description

6179967

During normal operation of OracleAS Single Sign-On, or after applying the 10.1.4.2 patch to a 10.1.4.0.1 a node, you may be unable to start OC4J_SECURITY.If you check the log file ssoServer.log, an error similar to the following appears:

oracle.ias.repository.schema.SchemaException: Unable to establish secure
connection to Oracle Internet Directory Server ldap://iashaqa02.us.oracle.com:636/ Base Exception :
javax.naming.CommunicationException: iashaqa02.us.oracle.com:636
[Root exception is java.net.ConnectException: Connection refused]
at oracle.ias.repository.directory. DirectoryReader.connectSsl(DirectoryReader. java:109)
at oracle.ias.repository.directory. DirectoryReader.connect(DirectoryReader.java:117)
at oracle.ias.repository.IASSchema. getColocatedDBConnect(IASSchema.java:673)
at oracle.ias.repository.IASSchema.getDBConnect (IASSchema.java:793)
at oracle.ias.repository.SchemaManager.getDBConnect (SchemaManager.java:406)
. . .

The workaround for this problem is to synchronize the password for ORASSO_SSOSERVER in Oracle Internet Directory and the database. After synching the password in both locations, you will be able to start OC4J_SECURITY. See the section, "Changing Single Sign-On Server Settings for Directory Access" in the Oracle Application Server Single Sign-On Administrator's Guide for details.


7.3 Resolved Issues for OracleAS Single Sign-On

Table 11 shows Identity Server bugs that have known issues and workarounds.

Table 11 Resolved Issues for OracleAS Single Sign-On

Bug Description

5867734

Several issues may occur after you integrate OracleAS Single Sign-On with Windows Native Authentication (WNA):

  • When you log into the single sign-on server, the user name is displayed in the form domain/username instead of username.

  • After you log into the single sign-on server, there is no link to the single sign-on administration landing page.

These problems have been fixed.

5405820

An issue can occur with the single sign-on server when a Password Expiration Warning (pwdexpirewarning) is set in an Oracle Internet Directory password policy. Ordinarily, when the single sign-on server displays a password expiry warning page, the user can either reset the password or click Cancel to ignore the warning. If the user clicks Cancel, he or she is redirected to the target application page.

However, if a global inactivity timeout occurs at the same time as the password expiry warning, the expected behavior does not occur. The user is first prompted to re-authenticate. After re-authentication, the password expiry warning appears. But if the user clicks Cancel in the warning page, he or she is redirected to the login page instead of to the target page.

This problem has been fixed.


8 Patch Notes for Oracle Identity Federation

The following sections discuss issues are resolved in this release and workarounds for known issues for Oracle Identity Federation.

8.1 General Issues and Workarounds for Oracle Identity Federation

Table 12 describes general issues and workarounds for Oracle Identity Federation.

Table 12 General Issues and Workarounds for Oracle Identity Federation

Bug Description

5405364

After a successful installation of Oracle Identity Federation, you may see errors of this type in the federation.log file at startup:

llerImpl.getActionStateMachine() - Enter
06/07/22 19:19:54 Initializing: WARN
oracle.security.fed.jvt.discovery.util.BackEndInitializer. createProvider() -
java.lang.NoSuchMethodException:
oracle.security.fed.model.util.ldap.LDAPConnectionManager. setUserDescAttr(java.lang.String)
06/07/22 19:19:54 Initializing: WARN
oracle.security.fed.jvt.discovery.util.BackEndInitializer. createProvider() -
java.lang.NoSuchMethodException:
oracle.security.fed.model.util.oid.OIDConnectionManager. setUserDescAttr(java.lang.String)
06/07/22 19:19:54 Initializing: WARN
oracle.security.fed.jvt.discovery.util.BackEndInitializer. getMethod() -
Method (setOIDConnectionManager) not in Class
oracle.security.fed.jvt.discovery.model.user.LDAPUserDiscovery Provider
06/07/22 19:19:54 Initializing: WARN
oracle.security.fed.jvt.discovery.util.BackEndInitializer. createProvider() -
java.lang.NoSuchMethodException:
oracle.security.fed.model.util.ldap.LDAPConnectionManager. setUserDescAttr(java.lang.String)
06/07/22 19:19:54 Initializing: WARN
oracle.security.fed.jvt.discovery.util.BackEndInitializer. createProvider() -
java.lang.NoSuchMethodException:
oracle.security.fed.model.util.oid.OIDConnectionManager. setUserDescAttr(java.lang.String)

No action is needed. These are spurious errors which can safely be ignored.


8.2 Administration Issues and Workarounds for Oracle Identity Federation

Table 13 describes administration issues and workarounds for Oracle Identity Federation.

Table 13 Administration Issues and Workarounds for Oracle Identity Federation

Bug Description

5400171

A problem is seen in the following scenario:

  • Service Provider domains (MyDomain and source domain) are configured to use SAML 1.0.

  • Identity Provider is also configured to use SAML 1.0.

  • The assertion profile at the Identity Provider is set to assign assertions, with the certificate included.

Upon logging in as a valid user, the following error is seen in the log file at the Service Provider:

RECEIVER: ERROR: An invalid SAML Response was received: XML SIGNER: ERROR:
Invalid signature or altered contents

This error occurs because a signed assertion was configured for the SAML 1.0 profile.Signed SAML 1.0 assertions are not supported in Oracle Identity Federation. Use the SAML 1.1 profile for signed assertions.

5375120

After executing the command-line configuration assistant to change the transient data store (either to switch databases or to use different credentials), you may be unable to access the Oracle Identity Federation administration console. The federation or OPMN logs show errors related to the database:

Invalid username/password

The problem occurs when the configuration assistant is used to switch to a different RDBMS for the transient data store or to change the login credentials. In either case, the password does not get reset, causing the invalid username/password error.

Take these steps to resolve the problem:

  1. Log on to the Oracle Enterprise Manager console.

  2. Navigate to OC4J_FED, then to Administration, then to Security.

  3. In the Users list, click on the jazn.com/oif_db entry.

  4. Enter the correct password to access the RDBMS, and click Apply.

  5. Restart the OC4J_FED instance.


8.3 Resolved Issues for Oracle Identity Federation

Table 14 shows Oracle Identity Federation issues that have been resolved in 10g Release 3 Patch Set 1 (10.1.4.2):

Table 14 Resolved Issues for Oracle Identity Federation

Bug Description

6157821

Oracle Identity Federation could not consume PKCS#12 wallets created by Oracle Wallet Manager.

Oracle Identity Federation can now do the following:

  • Consume PKCS#12 wallets created by Oracle Wallet Manager.

    These wallets can be used for signing and encryption operations for Liberty 1.x and SAML 2.0 protocol messages. Oracle Identity Federation accepts PKCS#12 wallets that contain one (and only one) private key with the corresponding certificate, and optionally contain other certificates such as trusted certificates. If multiple private keys are stored in the PKCS#12 wallet, it is rejected.

  • Consume Java keystores for use in Liberty 1.x and SAML 2.0 signature and encryption operations.

    These keystores can be loaded through the Server Properties page on the Oracle Identity Federation administration console. Oracle Identity Federation accepts keystores that contain one (and only one) private key with the corresponding certificate, and optionally contain other certificates such as trusted certificates. If multiple private keys are stored in the keystore, it is rejected.

6003996

Oracle Identity Federation was not signing the Liberty or SAML 2.0 SOAP Response message under these conditions:

  • Oracle Identity Federation is the Identity Provider.

  • SOAP Response messages are marked to be signed.

  • The response message contains an encrypted assertion.

5985731

If an internal error occurred while processing a SOAP request, Oracle Identity Federation was throwing a 500 error code instead of returning a SOAP fault.

5933376

When an Identity Provider and a Service Provider are set up to use automatic account linking using non-opaque name IDs, and an Identity Provider SSO is initiated, if the federation does not exist and the user cannot be located using the NameID value, a null pointer error occurred in the Service Provider.

5878454

In an attribute sharing framework, Oracle Identity Federation throws a 500 Internal Server Error when it receives XML Response elements with no assertion/statement.

With this fix, the Service Provider sends back an AttributeResponse with no attributes.

5860005

Oracle Identity Federation now supports SAML 2.0 Query descriptors as defined in the specifications of the Metadata Extension for SAML 2.0 and 1.x Query Requesters.

With this enhancement Oracle Identity Federation, acting as Attribute Auth or Authentication Auth, can consume metadata from remote providers.

5752858

Oracle Identity Federation failed to load SAML 2.0 provider metadata if the top level element in the metadata XML document is a md:EntitiesDescriptor.

With the correction, the server can handle a md:EntitiesDescriptor containing a single md:EntityDescriptor.

Note: Oracle Identity Federation cannot load SAML 2.0 provider metadata if md:EntitiesDescriptor contains more than one md:EntityDescriptor.

5742570

To use the eTrust SiteMinder user data store, Oracle Identity Federation needs to be configured with administrator credentials to perform SiteMinder policy server setup at initialization time. As an alternative, you can now run a perl script independently to perform Siteminder policy server setup. Initialization can then be skipped by setting the SkipInitialize flag to true.

5742565

Previously, administrator credentials with modify permissions were required to perform eTrust SiteMinder policy server setup at initialization time. You can now instruct Oracle Identity Federation not to perform eTrust Siteminder policy server setup at initialization by setting the SkipInitialize flag to true. A second flag, AllowSMCreation, now ensures that—even with administrator credentials—Oracle Identity Federation makes no modifications to the policy server.

Details about this feature are available in the Oracle Identity Federation Administrator's Guide, in the "Additional Server Configuration" chapter under "Configuring Oracle Identity Federation for Startup eTrust SiteMinder Operations."

5725307

When mapping the local user data store UID attribute to the NameIdentifier in a SAML 2.0 assertion, Oracle Identity Federation now also supports the Unspecified NameID format. In addition, a custom format URI is available to support deployments that use a custom NameID format.

5685225

Oracle Identity Federation has been enhanced to support Basic Authentication on the SOAP stack.

On the client side, support has been added for a command-line tool that enables the administrator to configure Oracle Identity Federation to use a specific username/password combination to connect to remote providers (assuming the provider has turned on Basic Authentication).

On the server side, Basic Authentication rules are enforced by the Oracle Application Server stack, for example through Oracle HTTP Server.

Details about this feature are available in the Oracle Identity Federation Administrator's Guide, in the "Deploying Oracle Identity Federation" chapter under "Implementing HTTP Basic Authentication."

5668356

When a SAML 1.x assertion was received with an attribute having no value (for example, <AttributeValue/>), a NullPointerException occurred on the Service Provider when mapping that attribute to the user data store.

5650671

Previously, only peer providers whose metadata contained an SPSSODescriptor or an IdPSSODescriptor could be displayed on the Oracle Identity Federation Administration Console's Circle of Trust pages.

With this fix, providers whose metadata does not contain these elements, but is otherwise valid (for example, it contains an AttributeQueryDescriptor element) will be properly displayed on the Circle of Trust pages.

5595258

When an incoming AuthnRequest contained an AssertionConsumerServiceURL, the Identity Provider did not validate that the given URL is part of the Service Provider resources.

If the AuthnRequest is not signed, Oracle Identity Federation now requires that the AssertionConsumerServiceURL be one of the AssertionConsumerService endpoints defined in the Identity Provider's metadata.

If the AuthnRequest is signed, Oracle Identity Federation accepts the AssertionConsumerServiceURL.

5595248

Outgoing HTTP query protocol messages were not appearing in the federation message log when the debug mode was enabled.

The message log file is located in fed/log/federation-msg.log.

5529880

When a signing certificate issued by a third-party CA is installed in the keystore for SAML 1.x/WS-Federation part of Oracle Identity Federation and debug logging is enabled, the server reports the following spurious error:

"XML SIGNATURE: cert verify check: FAILED - java.security.SignatureException: Signature does not match."

The certificate verification is appropriate only for self-signed certificates. This error does not affect Oracle Identity Federation operation and can be ignored.

5463051

Oracle Identity Federation was not handling service URLs from metadata with a query string. With the update, the server can handle the possible presence of query strings in service URLs when creating redirect URLs.


8.4 Documentation Issues for Oracle Identity Federation

Table 15 describes documentation errata in the Oracle Identity Federation Administrator's Guide.

Table 15 Documentation Issues for Oracle Identity Federation

Bug Description

6376572

In the Oracle Identity Federation Administrator's Guide, Section 4.2.8 Integrating WebGate with Oracle Identity Federation Server, the steps for WebGate integration should be updated as follows:

  • In Step 1, following the sentence that starts "Refer to Oracle Access Manager documentation...", the following text should be added:

    "The Preferred HTTP Host of the AccessGate that will be installed on Oracle HTTP Server needs to be set to OIF-HOST:OIF-PORT, by replacing OIF-HOST and OIF-PORT with the correct values."

  • In Step 3, last bullet, the text "Click Add to add new resources, with the URLs" should be replaced with the following:

    "Click Add to add new resources, with the "Fed HostID" identifier, if used, and with the URLs."

  • In Step 4, third bullet, the text "From the Resources tab, add the URLs" should be replaced with the following:

    "From the Resources tab, add the URLs with the "Fed HostID" identifier, if used."

6344168

In the Oracle Identity Federation Administrator's Guide, Section 7.14.4, Configuring Oracle Identity Federation to use a different User Data Store, there is a missing step in the listing of steps needed to set up a different user data store than the one used by eTrust SiteMinder.

The correct sequence of steps, with a new Step 5 inserted, is as follows:

  1. Open the $ORACLE_HOME/fed/shareid/oblix/config/shareid-config.xml file.

  2. Set the useLocalConfig attribute to true to force changes to be persisted at restart:

    <SHAREidConfiguration … useLocalConfig="true">
    
  3. Locate the IdMBridge XML element whose Name attribute is SM.

  4. Set the XML attribute named SecondaryBridgeEqualToSMUserDir to:

    • false to indicate that the user data store is different from the one used by the CA SiteMinder policy server.

    • true to indicate that the user data store is the same for both.

    For example:

    <IdMBridge Name="SM" ... SecondaryBridgeEqualToSMUserDir="false" ...></IdMBridge>
    
  5. Set the XML attribute named UserDirectoryLoginAttribute to the user identifier attribute used in the eTrust SiteMinder user directory to reference a user. For example, if using Oracle Internet Directory, the UserDirectoryLoginAttribute should be set to uid:

    <IdMBridge Name="SM" ... UserDirectoryLoginAttribute="uid" ...></IdMBridge>
    

    The User Identifier attribute is case-sensitive. If using Sun One Directory Server as the eTrust SiteMinder User Directory, for example, that attribute would need to be set to genUserID; setting the parameter to genuserid would cause an error.

  6. Save and restart OC4J_FED.

6331064

In the Oracle Identity Federation Administrator's Guide, Section 4.2.3.4, "Configuring the Oracle Identity Federation User Data Store," Step 4 on connection details for the eTrust SiteMinder policy server is inaccurate; information for Authorization Port and Authentication Port should be corrected as follows:

  • Authorization Port: This is the policy server port used for authorization requests. The default value is 44443.

  • Authentication Port: This is the policy server port used for authentication requests. The default value is 44442.


9 Patch Notes for Identity Management High Availability

Table 16 describes general issues and workarounds for high availability.

Table 16 Issues and Workarounds for High Availability

Bug Description

6350730

In the Oracle Application Server High Availability Guide, section 5.14.1, "Configuring OracleAS Disaster Recovery Where Both the Primary and Standby Sites Use Oracle Real Application Clusters Databases" describes disaster recovery for a RAC-RAC scenario, and section 5.14.2, "Configuring OracleAS Disaster Recovery Where Only the Primary Site Uses Oracle Real Application Clusters Database (Standby Site Uses a Non-Real Application Clusters Database)" describes disaster recovery when an Oracle RAC database resides on a primary site and the standby site uses a standard Oracle database.

Note that, for Windows deployments where the Asgkit resides in a different location from the database HOME directory, the information in these sections applies to Release 10.1.2.3 only. These scenarios are not supported in Release 10.1.4.2.


10 Patch Notes for Identity Management Disaster Recovery

This section includes issues related to highly available topologies using the OracleAS Disaster Recovery solution. This section discusses the following topics:

10.1 General Issues for Disaster Recovery

Table 17 summarizes general issues for disaster recovery for the Identity Management products.

Table 17 Issues and Workarounds for Disaster Recovery

Bug Description

6318682, 6318619, 6242031

Workarounds may be needed on Windows operating systems to avoid issues with cloning.

See "Workarounds on Windows Systems to Avoid Cloning Problems" for details.

6198538

Entries in TNSNAMES.ORA file that lack domain names cause disaster recovery problems.

See "Use Domain Names for Entries in the TNSNAMES.ORA File" for details.

6195864

Do not install ASG in a RAC Database Home if ASG was previously de-installed in the same Home directory.

If ASG is installed in a RAC database Oracle home, make sure that the ASG components were not de-installed in that RAC database home. If ASG is installed in a RAC database home after it was de-installed, ASG may not detect the cluster nodes.

6127890

The ASG clone topology and clone instance commands are not supported by disaster recovery configurations where production and standby peer systems have a different number of ORACLE_HOME directories.

As part of the cloning operation, the Oracle Inventory for each host is cloned. Therefore, the assumption is that the Oracle Home configuration is symmetrical for any host that is being cloned.

For a full description of supported Disaster Recovery asymmetric topologies, refer to Section 5.1.3.2 of the Application Server High Availability Guide for release 10.1.3.2.0.

6047705

To avoid clone instance operation problems, use the same port for ASG on the primary site and standby site(s) in Disaster Recovery configurations to avoid error messages such as the following during an ASG clone instance operation:

3-May 15:45:43  >>clone instance prodsso1 to stbyinfra1
3-May 15:45:43  stamx11: -->ASG_DUF-4950: An error occurred on host
"stamx11" with IP "140.87.21.201" and port "7890"
stamx11: -->ASG_DUF-3601: Error connecting to server host 152.68.64.213
on port 7890
stamx11: -->ASG_DUF-3512: Error creating remote worker on node 152.68.64.213:7890.

The dsa.conf file contains ASG configuration information, and it is configured into the Application Server instance's backup/restore configuration. Due to this, the dsa.conf file from a production site's instance will be synchronized to the corresponding standby site's instance.

The port numbers between the production and standby instance pairings should match for ASG.

6013561

The SIDs must be the same for database peers at a primary site and standby site(s) in a Disaster Recovery topology.

6011128

As a best practice, use fully qualified path names with the ASG add instance command in Disaster Recovery configurations.


10.2 Details for Disaster Recovery

This section discusses the following topics:

10.2.1 Workarounds on Windows Systems to Avoid Cloning Problems

On Windows systems, perform the following workarounds before performing cloning operations in disaster recovery configurations:

  1. Install version 5.0.2134.1 or higher of sc.exe (the services kit) under the C:\windows\system32 directory before performing cloning operations in disaster recovery configurations.

    If you do not take this step prior to performing a cloning operation on Windows, you may see errors similar to these during an ASG cloning operation:

    stajz09: -->ASG_DUF-4040: Error executing the external program or script.
    The error code is "255"
    stajz09: -->ASG_IAS-15689: Error running the backup script
    stajz09: -->ASG_IAS-15685: Failed to backup configuration data for instance
    "IM.asinfra.us.oracle.com"
    stajz09: -->ASG_DUF-3027: Error while executing Clone Instance at step -
    backup step.
    stajz09: -->ASG_DUF-3027: Error while executing Clone Topology at step -
    clone home step.
    
  2. For the dcm-daemon component in the %ORACLE_HOME%\opmn\conf\opmn.xml file, increase the start timeout parameter's retry interval to 5 seconds. The following example shows the section of the opmn.xml file for the dcm-daemon component with the start timeout parameter's retry interval set to 5:

    <ias-component id="dcm-daemon" status="enabled" id-matching="true">
        <process-type id="dcm-daemon" module-id="DCMDaemon">
            <start timeout="600" retry="5"/>
            <stop timeout="120"/>
            <process-set id="dcm" numprocs="1">
    

    If you do not take this second step prior to performing a cloning operation on Windows, you may see errors similar to these during an ASG cloning operation:

    stajz09: -->ASG_SYSTEM-100: Command "C:\work\im/opmn/bin/opmnctl.exe shutdown"
    failed, check log file C:\work\im\dsa\bkup\log/2007-07-17_01-41-51_loha.log
    for detail.
    stajz09: -->ASG_SYSTEM-100: Failure : prepare failed
    stajz09: -->ASG_SYSTEM-100:
    stajz09: -->ASG_SYSTEM-100: OPMN managed processes could not be stopped.
    stajz09: -->ASG_SYSTEM-100: Status code:
    stajz09: -->ASG_SYSTEM-100: opmnctl shutdown failed.
    
  3. If the 10.1.2.2 patch set is applied on top of 10.1.4 IM, then you must apply patch 5950169 also, otherwise cloning operations will fail.

10.2.2 Use Domain Names for Entries in the TNSNAMES.ORA File

In previous 10.1.4.x releases, database entries in the TNSNAMES.ORA file were created without a domain name.

Disaster recovery can experience problems with instantiate topology or other ASG operations if any database entries in the TNSNAMES.ORA file lack domain names.

For example, the following entry in the TNSNAMES.ORA file lacks a domain name and could cause problems for disaster recovery:

ORCL1 =
 (DESCRIPTION =
   (ADDRESS_LIST =
     (LOAD_BALANCE = yes)
     (ADDRESS = (PROTOCOL = TCP)(HOST = idmdrtest)(PORT = 1521))
   )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl1.pdx.com)
     )
   )
 )

In this example, to prevent problems with Disaster Recovery, you would add the domain name (for example, PDX.COM) to the TNSNAMES.ORA entry shown in bold in the following example:

ORCL1.PDX.COM =
 (DESCRIPTION =
   (ADDRESS_LIST =
     (LOAD_BALANCE = yes)
     (ADDRESS = (PROTOCOL = TCP)(HOST = idmdrtest)(PORT = 1521))
   )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl1.pdx.com)
     )
   )
 )

By adding the domain name to TNSNAMES.ORA file entries, you may be able to avoid error messages such as the following that can occur during an instantiate topology operation:

>>instantiate topology to voidhost1

idmdrtest.pdx.com 10.196.6.80:7892 (home /home/oracleqa/DREDG/immr10142)
     HA directory exists for instance im1.idmdrtest.pdx.com
     HA directory exists for instance orcl1

idmdrtest.pdx.com 10.196.6.150:7892 (home /home/oracleqa/DREDG/immr10142)
     HA directory exists for instance im1.idmdrtest.pdx.com
     HA directory exists for instance orcl1

idmdrtest.pdx.com 10.196.6.80:7892
   Verifying that the topology is symmetrical in both primary and standby
configuration

idmdrtest.pdx.com 10.196.6.80:7892 (home /home/oracleqa/DREDG/immr10142)
    This is primary infrastructure host
idmdrtest.pdx.com: -->ASG_DUF-4950: An error occurred on host
"idmdrtest.pdx.com" with IP "10.196.6.80" and port "7892"
idmdrtest.pdx.com: -->ASG_ORACLE-300: ORA-12560: TNS:protocol adapter error
idmdrtest.pdx.com: -->ASG_DUF-3700: Failed in SQL*Plus executing SQL
statement:  connect sys/******@orcl1.pdx.com as sysdba;.
idmdrtest.pdx.com: -->ASG_DUF-3502: Failed to connect to database
orcl1.pdx.com.
idmdrtest.pdx.com: -->ASG_IAS-15753: Error preparing to instantiate the
topology on host "idmdrtest.pdx.com"
idmdrtest.pdx.com: -->ASG_DUF-3027: Error while executing Instantiating each
instance in the topology to standby topology at step - prepare step.

>>disconnect

11 Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at http://www.oracle.com/accessibility/.

Accessibility of Code Examples in Documentation

Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation

This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

TTY Access to Oracle Support Services

Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day, 7 days a week. For TTY support, call 800.446.2398. Outside the United States, call +1.407.458.2479.


Oracle Identity Management Patch Set Notes, 10g Release 3 Patch Set 1 (10.1.4.2).

E10972-01

Copyright © 2007, Oracle. All rights reserved.

The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.

The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.

If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs.

Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.