Release Notes
Bundle Patch 11.1.1.5.7 Generic
See Also:
Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux,
Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating
Systems described in Section 3.2, "Patch Set Notes and Bundle Patch Notes"
This document supersedes the documentation that accompanies Oracle Access Manager 11g Release
1 (11.1.1), and earlier documents if any. This document contains the following sections:
Section 1, "Documentation Accessibility"
Section 2, "Bundle Patch Overview"
Section 3, "Documentation"
Section 4, "Bundle Patch Requirements"
Section 5, "Before You Install This Bundle Patch"
Section 6, "Bundle Patch Installation and Removal"
Section 7, "Known Issues"
Section 8, "Fixes Included in This Cumulative Bundle Patch"
Section 9, "Documentation Issues Resolved in This Bundle Patch"
1 Documentation Accessibility
Our goal is to make Oracle products, services, and supporting documentation accessible to all users,
including users that are disabled. To that end, our documentation includes features that make
information available to users of assistive technology. This documentation is available in HTML
format, and contains markup to facilitate access by the disabled community. Accessibility standards
will continue to evolve over time, and Oracle is actively engaged with other market-leading
technology vendors to address technical obstacles so that our documentation can be accessible to all
of our customers. For more information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/.
Accessibility of Code Examples in Documentation
Screen readers may not always correctly read the code examples in this document. The conventions
for writing code require that closing braces should appear on an otherwise empty line; however,
some screen readers may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation
This documentation may contain links to Web sites of other companies or organizations that Oracle
does not own or control. Oracle neither evaluates nor makes any representations regarding the
accessibility of these Web sites.
Deaf/Hard of Hearing Access to Oracle Support Services
To reach Oracle Support Services, use a telecommunications relay service (TRS) to call Oracle
Support at 1.800.223.1711. An Oracle Support Services engineer will handle technical issues and
provide customer support according to the Oracle service request process. Information about TRS is
available at http://www.fcc.gov/cgb/consumerfacts/trs.html, and a list of phone numbers
is available at http://www.fcc.gov/cgb/dro/trsphonebk.html.
Note:
To remain in an Oracle-supported state, Oracle recommends that you apply the
bundle patch to all installed components for which packages are provided.
Table 1 outlines the differences between a bundle patch and a standard patch set.
Description
Bundle Patch
A bundle patch is an official Oracle patch mechanism for Oracle Access Manager
components on baseline platforms. Each bundle patch includes the libraries and
files that have been rebuilt to implement one or more fixes.
This bundle patch must be applied to Oracle Access Manager 11g Release 1
(11.1.1) components.
See Also: Section 5, "Before You Install This Bundle Patch".
Patch Set
Oracle Access Manager 11g Release 1 (11.1.1) is a patch set and is the required
base for this bundle patch.
A patch set is a mechanism for delivering fully tested and integrated product fixes
that can be applied to installed components of the same release. Patch sets
include all of the fixes available in previous bundle patches for the release. A
patch set can also include new functionality.
All of the fixes in the patch set have been tested and are certified to work with
one another on the specified platforms.
Each patch set provides the libraries and files that have been rebuilt to
implement bug fixes (and new functions, if any). However, a patch set might not
Mechanism
Description
be a complete software distribution and might not include packages for every
component on every platform.
See Also:
Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux,
Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating
Systems
A BPnn is the short name for a specific bundle patch release. Bundle patch 7 (BP07, for
example,) is also known as release 11.1.1.5.7, the base release followied by the bundle patch
number.
A component might refer to a specific Oracle Access Manager component, such as OAM Server
or a specific Webgate.
Example
Bundle
Patch
OAM Server
11g Agents
Example
p17184828_111157_LINUX.zip
Oracle_Access_Manager_11_1_1_5_7_BP07_generic_server_components.zip
Convention
Oracle_Access_Manager_11_1_1_5_7_BPnn_Webserver_Webgate.zip
Example
Oracle_Access_Manager_11_1_1_5_7_BP07_OHS_Webgate.zip
OAM Identity
Assertion
Provider
Convention
oamAuthnProvider
Example
oracle.oamprovider_11.1.1/oamAuthnProvider.jar
3 Documentation
This section describes the documentation that is available to support the latest bundle patch and the
original release. This section provides the following topics:
Section 3.1, "Oracle Access Manager Manuals and Release Notes"
Section 3.2, "Patch Set Notes and Bundle Patch Notes"
Section 3.3, "Certification Documentation"
Oracle Access Manager chapter of the Oracle Fusion Middleware Release Notes 11g Release 1
(11.1.1).
Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle
Security Token Service.
Oracle Fusion Middleware Integration Guide for Oracle Access Manager.
Oracle Fusion Middleware Upgrade Planning Guide.
Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.
Oracle Fusion Middleware Upgrade Guide for Java EE.
Oracle Fusion Middleware Administrator's Guide.
Oracle Fusion Middleware Application Security Guide
Oracle Application Server Single Sign-On Administrator's Guide.
Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
This document, Oracle Access Manager Release Notes for Bundle Patch 11.1.1.5.7 Generic, provides
the following information for this specific bundle patch release:
General information about bundle patches
General bundle patch requirements and installation details
Details about what is included in this bundle patch
This Oracle Access Manager Release Notes for Bundle Patch 11.1.1.5.7 Generic document is
available in HTML format, as readme.htm, which you can view without downloading the zip
file.
The companionOracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux,
Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems provides
the following information for WebGates delivered with Oracle Access Manager Bundle Patch
11.1.1.5.7.
General information about bundle patches
Go to ..
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certificati
See the Oracle Identity Management 10g downloads page, Oracle Access Manager 10g - non OHS11g W
Party Integrations section.
http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html
Note:
If you have already installed an 11.1.1.5.x Bundle Patch, you can install Bundle
Patch 11.1.1.5.7 on top of it.
See Also:
Table 3 for details about the certification matrix, installer packages, and
readme files
Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for
Linux, Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP
PA-RISC Operating Systems
See Also:
Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux,
Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating
Systems
Patch 11.1.1.5.6 Release Notes for Linux, Solaris SPARC, Solaris X64,
Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems.
Earlier Webgates
Note:
Oracle Access Manager Server 11.1.1.5.6 has been tested with the WebGate MLR
17184828 patch applied on top of the OAM WebGate Bundle Patch 11.1.1.5.5. It is
recommended to apply this WebGate MLR patch which contains the well tested,
important WebGate fixes.
Note:
If your system configuration does not meet support requirements, or if you are not
certain that your system configuration meets these requirements, Oracle
recommends that you log an Service Request to get assistance with this bundle
patch. Oracle Support will make a determination about whether you should apply
this bundle patch or not.
Note:
Oracle recommends that you always install the latest bundle patch.
Note:
Oracle recommends that you have the latest version of Opatch from My Oracle
Support (formerly Oracle MetaLink). Opatch requires access to a valid Oracle
Universal Installer (OUI) Inventory to apply patches.
The patching process uses both unzip and Opatch executables. After sourcing the ORACLE_HOME
environment, Oracle recommends that you confirm that both of these exist before patching.
Perform steps in the following procedure to prepare your environment and download the bundle
patch. Due to formatting constraints in this document, some sample text lines wrap around. These
line wraps should be ignored.
Note:
Ignore line wrapping in syntax examples and ignore steps that do not apply to your
environment.
See Also:
Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux, Solaris
SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems
Ignore steps that do not apply to your environment. Steps that relate to only a specific condition are
identified with a bold condition.
Note:
Step 1 is relevant only after an in-place upgrade from Oracle Access Manager
11.1.1.3.0 to 11.1.1.5.0. Artifacts introduced in 11.1.1.5.0 for Oracle Security Token
Service will be missing in your $DOMAIN_HOME.
$ORACLE_HOME/oam/server/lib/jmx
TO $DOMAIN_HOME/config/fmwconfig/mbeans/oam
$ORACLE_HOME/oam/server/config/mbeans/*.xml
TO $DOMAIN_HOME/config/fmwconfig/mbeans
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${OAM_ORACLE_HOME}/server/policy/
set PRE_CLASSPATH=%PRE_CLASSPATH%;%OAM_ORACLE_HOME%\server\policy\sts-policies.
Note:
To learn the Opatch version, use opatch -help. If Opatch is earlier than
11.1.0.8.3, you must download the latest 11.1.x version. However, do not
download Opatch 11.2.
If an error occurs, contact Oracle Support to validate and verify the inventory setup before
proceeding. If the ORACLE_HOME does not appear, it might be missing from the Central
Inventory, or the Central Inventory itself could be missing or corrupted.
5. Confirm that $ORACLE_HOME is pointing to the correct location ($MW_HOME/Oracle_IDM1)
and change this if needed.
6. On the computer that will host the bundle patch files, create a directory to store the unzipped
patch (referenced later as PATCH_TOP). For example:
Linux: /home/11.1.1.5.7/tmp
Solaris: /opt/11.1.1.5.7/tmp
Windows: C:\11.1.1.5.7\tmp
7. Retrieve the Bundle Patch:
a. From My Oracle Support, click the Patches & Updates link.
b. Enter the Patch ID or Number, then click Search to display a Patch Search Results
table.
c. Using the Release and Platform columns, find the desired patch, then click the
associated Patch ID.
d. Download: In the page that appears, click the Download button to retrieve the
packages.
8. Unzip the patch zip file into the PATCH_TOP directory you created earlier. For example:
unzip -d PATCH_TOP p19730928_111150_Generic.zip
9. On OAM Servers, move RREG.TAR and the/ rreg folder from the client and storing it in a
different location. For example:
From: $ORACLE_HOME/oam/server/rreg/client/rreg/
To: $ORACLE_HOME/backup/oam/server/rreg/client/rreg
10. Proceed to Section 6.2, "Installing a Bundle Patch on Any Platform":
remove (roll back) the bundle patch even if you have deleted the original bundle patch files from the
temporary directory you created.
Oracle recommends that you back up the $ORACLE_HOME using your preferred method before any
patch operation. You can use any method (zip, cp -r, tar, and cpio) to compress the $ORACLE_HOME.
When Opatch starts, it validates the patch to ensure there are no conflicts with the software already
installed in your $ORACLE_HOME:
Conflicts with a patch already applied to the $ORACLE_HOME. In this case, stop the patch
installation and contact Oracle Support Services.
Conflicts with subset patch already applied to the $ORACLE_HOME. In this case, continue
installation because the new patch contains all the fixes from the existing patch in the
$ORACLE_HOME. The subset patch is automatically rolled back before installation of the new
patch begins.
This patch is not -auto flag enabled. Table 5 describes the Opatch application mode. The following
procedure provides steps.
Description
opatch apply
cd PATCH_TOP/19730928
4. Run the appropriate Opatch command as an administrator to ensure the required permissions
are granted to update the central inventory and apply the patch to your $ORACLE_HOME:
opatch apply
Note:
Opatch operates on one instance at a time. If you have multiple instances,
you must repeat these steps for each instance.
5. Multiple Instances: Repeat Steps 1-5 to apply the bundle patch to each instance throughout
your installation.
6. Continue with Section 6.3, "Using Automation Scripts for Post-Installation Tasks".
-t <WLS_MAX_TRIES> ... the number of times the script attempts to connect to the AdminServer
(default is 15)
-w <WLS_WAIT_TIME> ... the number of seconds between each attempt (default is 10)
Note:
The domainAutomation script starts the AdminServer yet the time needed for the
server to be in the RUNNING state is unknown. These optional parameters
determine how long the script waits before failing if it cannot connect to the server.
By default the waiting time is set to 150 seconds. If this time is not sufficient, it can
be increased trough the -t and -w options.
Note:
Use the following steps to manually update your oam-config.xml file and retain the
earlier version, whether you have applied an earlier bundle patch or not.
Prerequisites
Section 6.3, "Using Automation Scripts for Post-Installation Tasks"
To finish patching with this integration
1. Start the AdminServer and OAM Server.
2. Log in to the Oracle Access Manager Console.
3. From the Policy Configuration tab, navigation tree, expand the Shared Components node.
4. Create an Authentication Scheme:
a. Click the Authentication Schemes node, then click the Create button in the tool bar.
b. Fill in the fresh Authentication Scheme page as follows:
Name: TAPResponseOnlyScheme
Description: TAPResponseOnlyScheme
Auth level: 2
Challenge method: DAP
Challenge Redirect URL: /oam/server/
Authentication Module: DAP
Challenge URL: http(s)://thirdpartyhost:port/loginPage
Context Type:
Challenge Parameters:
c. Click Apply to submit the new scheme, dismiss the Confirmation window, then check the
navigation tree for the new scheme.
5. Create anAuthentication Policy:
a. Expand the Application Domains node, then expand the IAMSuite node.
b. Click the Authentication Policies node, then click the Create button in the tool bar.
c. Fill in the fresh Authentication Policy page as follows:
Name: TAP Response Protected Policy
Description: TAP Response Protected Authentication Policy for OAMAgent
Authentication Scheme: TAPResponseOnlyScheme
d. Click Apply to submit the new policy, dismiss the Confirmation window, then check the
navigation tree for the new policy.
6. Create a Resource Definition:
a. In the IAMSuite Application Domain, open the Resources node and click the New
Resource button in the upper-right corner of the Search page.
b. On the Resource Definition page enter the following details:
Type: HTTP
Description: TAP Resource to be asserted against
Host Identifier: IAMSuiteAgent
Resource URL: /oamTAPResponseAssertResource
Protection Level: Protected
Authentication Policy: TAP Response Protected Policy
Authorization Policy: Protected Resource Policy
c. Click Apply to submit the new resource definition, dismiss the Confirmation window,
then close this page.
7. Add Resources to the Authentication Policy:
a. In the IAMSuite Application Domain, open the Authentication Policy TAP Response
Protected Policy.
b. Click the Resources tab on the Authentication Policy page.
c. Click the Add button on the tab.
Note:
If any configuration changes were performed after the patch was applied, these will
be lost with domainAutomationRollback.
a. cd $PATCH_TOP/19730928/files/oam/server/scripts/opatch
b. Add execute permission to the domainAutomationRollback.sh file:
chmod u+x domainAutomationRollback.sh
4. Restart all OAM Servers, which will take up the new oam-config.xml.
Note:
After doing a rollback of the Access Manager patch in an integrated OAM-OIM
environment, restart all servers.
7 Known Issues
Table 6 identifies any known issues with this bundle patch release.
See Also:
Oracle Fusion Middleware Release Notes for known issues with the full-installer
release
11.1.1.5.6 17539895 Custom plugins uploaded after applying any OAM Bundle Patch will not be available after a patch
Similarly, any changes done to the oam-config.xml file after applying OAM Bundle Patch are remo
rollback the patch.
Bundle Base
Patch
Bug
Number Number Description of the Problem
11.1.1.5.2 15909678 If a user attempts to login to OIM using OAM, the account is locked after too many attempts with
password (the obLoginTryCount LDAP attribute is plus one for every incorrect password login). U
redirected to Forgot Password process. At the end, it is expected to see a pop up that the passwo
reset and the user will be automatically logged in to OIM. Instead, the user is redirected back to
Password page to complete the process a second time.
Work Around
After completing the process a second time, the user will be automatically logged in.
11.1.1.5.2 13620606 Remote registration failed to run with Oracle Access Manager administrative user credentials. A s
occurred with following messages:
User does not belong to the group that is
authorized to perform registration.
Registration failed. Try again after
verifying the users group.
Work Around
From the Oracle Access Manager Console, find the user identity store that is designated as the Sy
the System Store configuration page, add the username that is granted authority to run remote r
Generally, this is the same userID that has access to log in to the Oracle Access Manager Console
For example, open the System Store registration page, within the Access System Administrators s
new administrative username (oamAdminUser, for example) in addition to the group (
which might already be present.
See Also: "Managing Administrator Roles" in the Oracle Fusion Middleware Administrator's Guide
Manager with Oracle Security Token Service.
11.1.1.5.2 13481036 Basic Authentication might not work properly with Oracle Access Manager 11.1.1.5.2. A popup fo
repeats, even after entering valid credentials, and the user cannot log in.
11.1.1.5.2 12992160 On the AIX Platform, Simple Security Mode is not functioning with OAM Server 11.1.1.5.2.
Work Around:
Install OAM Server and 10g Webgate on AIX platform and specify either Open or Cert Security M
11.1.1.5.1 12887343 Migrating Artifacts from an 11.1.1.5.0 Domain to an 11.1.1.5.1 Domain: Simple Mode Not Workin
After migrating artifacts from 11.1.1.5.0 to 11.1.1.5.1, the mode of oam_server1 is not changed
from Open mode. However, oam-config.xml from artifacts.zip.gz has the Simple mode value for o
During the upgrade from Oracle Access Manager 11.1.1.5 to 11.1.1.5.1, the OAM Server Security
set to Open mode. However, you must change the mode by modifying the IAMSuiteAgent registra
bundle patch installation. Otherwise, Administrators might not be able to log in to the upgraded O
Manager Console.
See Also: Step 5 in Section 6.3.
11.1.1.5.1 12769177 Windows 2008 64-bit System
You might encounter an issue with insufficient privileges to the Central Inventory:
Bundle Base
Patch
Bug
Number Number Description of the Problem
java.io.FileNotFoundException: C:\Program Files\Oracle\Inventory\logs\OP
... (Access is denied)
Unable to lock Central Inventory.
OPatch will attempt to re-lock.
Do you want to proceed? [y|n]
Work Around
Run the appropriate Opatch command as an administrator to ensure the required permissions are
update the central inventory.
11.1.1.5.6 16389891 Resolved issue with basic authentication that does not re-prompt user for basic pop up if invalid
re-prompted for credentials until maximum retry limits are not exceeded.
11.1.1.5.6 16971881 Performance issue in OAM Coherence cache characterized by stuck threads and ConcurrentModi
11.1.1.5.6 16615701 Redirect to PWDMGMT.JSPX is missing the host name when port 80 is used.
11.1.1.5.6 16569015 OAM SSO logout does not expire all WebGate 11g cookies for multiple host names.
11.1.1.5.6 16281463 Policy failure redirect when user omits password during Basic authentication credential collection
11.1.1.5.6 16817786 WLST importPolicyDelta command removes blank port/host identifier variations.
11.1.1.5.6 15962518 Error occurs while importing a custom plugin.
11.1.1.5.6 15863291 GSSEXCEPTION is not recorded when OAM WNA fails due to Kerberos error.
11.1.1.5.6 14733826 OAM fails to reconnect to LDAP if LDAP was started after OAM.
11.1.1.5.6 14563021 Unable to add policy to resource.
Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
11.1.1.5.6 14138833 OAM_PROXY 11.1.1.3.0 Exception thrown while decrypting token - AuthID field not found in coo
11.1.1.5.6 14053429 Forms 11.1.2.0.0 unable to connect to OAM 11.1.1.5.0BP02.
11.1.1.5.6 13474531 Unable to enter resource URL with more than 256 characters.
This issue has been fixed but there is an upper limit of 1800 characters on the length of the UR
resource is created using a URL with more than 1800 characters, the operation will fail and exce
11.1.1.5.6 13012345 OAMRUNTIMEEXCEPT: Unable to access OAAM protected resource.
11.1.1.5.6 12541526 An issue that does not allow resources with invalid encoded characters. For example: resource /
11.1.1.5.6 14349888 Fix for 14349888.
11.1.1.5.6 12743709 Fix for 12743709.
11.1.1.5.6 16635205 Thread pool issues in the OAM and OIM Weblogic servers when accessing Coherence cache are
13993968
11.1.1.5.5 14400679 Resolves an issue that caused an Unbalanced Parenthesis error with a custom plug-in.
This is fixed.
11.1.1.5.5 14356645 Resolves an issue that was encountered when the user clicks Cancel during credential collection
This is fixed.
11.1.1.5.5 14331847 Resolves an issue where a DOS attack on the OAM Server would result in OutOfMemory Excepti
This is fixed.
11.1.1.5.4 14139424 Resolves an issue that occurred when registering a fresh OSSO partner with a desire to use the
migrated partners.
This is fixed. If the SiteName begins with migratedSSOPartners, the new partner is considered a
11.1.1.5.4 13982059 Resolves an issue that occurred when attempting to log in to the Oracle Access Manager Consol
The non-SSL port is turned off and when the Embedded LDAP is used for authentication, loggin
login page is presented repeatedly without accepting credentials.
This is fixed. You might need to update the startManagedWebLogic.sh file to point WebLog
establish SSL connections between AdminServer and OAM Servers:
JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore="<path_to_trust_store
export JAVA-OPTIONS
Modify the Admin URL value to point to the AdminServer's SSL port: ADMIN_URL="https://
11.1.1.5.4 13962108 Resolves an issue with Oracle Access Manager/Oracle Identity Federation environment. When us
OAMSSA-14003: Policy runtime failed.
Setting the request cache type to FORM was not working.
This is fixed and requires Oracle Identity Federation patch 13781779 to be installed.
Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
11.1.1.5.4 13930141 Resolves an issue that occurred when the Access Client is initialized multiple times and performe
irrespective of changes made on the server side. This write operation was due to a configuration
This is fixed.
11.1.1.5.4 13859351 Resolves an issue with PasteConfig for application domains, which failed while importing policies
This is fixed.
11.1.1.5.4 13858201 Resolves an issue of attributes set with 11g ASDK (setSessionAttributes) were not available usin
This is fixed.
11.1.1.5.4 13780347 Resolves an issue that occurred when a browser sends an Authorization header that contains an
was unable to provide a Kerberos token during Windows Native Authentication, it might instead
does not support NTLM and incorrectly handled the error by sending the client into a redirect lo
This is fixed.
11.1.1.5.4 13774650 Resolves an issue that occurred with Internet Explorer browser. The Oracle Access Manager Log
submission of the form, the response renders in a new window instead of the modal window.
This is fixed.
11.1.1.5.4 13555542 Resolves an issue that occurred during authentication. The user entered the correct credentials,
Webgate entered into a loop.
This is fixed.
11.1.1.5.4 13554467 Resolves an issue that occurred when trying to activate a custom plug-in (in the Oracle Access M
activation failed.
If the machine has a physical IP address and a different virtual IP address, activation of custom
Server based on the host name set in the server's registration. If the query doesn't match, activ
This is fixed. A check now verifies the exception return is user disabled and returns an OAM-5 e
11.1.1.5.4 13356624 Resolves an issue that occurred when Oracle Internet Directory was down. Oracle Access Manag
This is fixed. p_error_code is correctly set when there is no contact with the identity store.
11.1.1.5.4 13090748 Resolves an issue that causes inconsistent behavior with Windows Native Authentication (WNA a
deployment. Authentication fails when a duplicate samAccountName was encountered.
This is fixed.
11.1.1.5.4 13086385 Resolves an issue that produced authentication failure in a trusted Active Directory forest when
This is fixed.
11.1.1.5.4 13078251 Resolves an issue that occurred when trying to extract PrincipalName attribute and X509 authen
being supported.
This is fixed. Added support for PrincipalName, which can now be extracted from the certificate.
11.1.1.5.4 12723591 Resolves an issue that occurred when the identity store is configured as the System Store with n
registration fails because the tool cannot validate the user's role as an administrator.
This is fixed. Even if the configuration does not contain any user, validation for a user belonging
registration is successful.
11.1.1.5.4 11867065 Resolves an issue that occurred when a user deletes the session used for the Oracle Access Man
This is fixed.
Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
11.1.1.5.3 13600589 Resolves an issue that occurred when load testing a multi-threaded OAM SDK application. With
logout, exceptions are raised.
Access Exception: java.lang.Exception: Failed to
communicate with any of configured Access Server,
ensure that it is up and running....
This is fixed.
11.1.1.5.3 13720022 Resolves an issue that caused the number of threads in a client application with the SDK to kee
This is fixed by adding thread cancel logic to the API.
11.1.1.5.3 13507344 Resolves an issue that occurred when an Authentication Scheme used a composite Authenticatio
with the correct module.
This is fixed.
11.1.1.5.3 13834510 Resolves an issue that caused integration between Oracle Access Manager and Oracle Adaptive
Authentication Scheme.
This is fixed.
11.1.1.5.3 13826271 Resolves a typo in oam-config.xml that prevented the OSSO Agent from working.
This is fixed by replacing ccheck_request_creds with check_request_creds.
11.1.1.5.3 13586109 Resolves an issue that caused a query string integrity check to fail during stress testing. The fol
<Error> <oracle.oam.proxy.oam> <BEA-000000>
<Query Validate Hash and generated validate hash do not match. ....
This is fixed.
Login successful without error.
11.1.1.5.3 13564299 Resolves an issue that prevented first-time users (created with the Identity Management Consol
Logging in with a new password worked if the user clicked the Forgot Password link on the login
Identity Management Console she was redirected to the Password Reset page to change and su
login page with the error:
An incorrect Username or Password was specified
This is fixed.
11.1.1.5.2 13482800 Resolves an issue that prevented the orchestrated plug-in execution sequence from resuming fr
This is fixed.
See Also: Bug 13368820 in this table.
11.1.1.5.3 13371595 Resolves an issue that prevented the uptake of the load balancing port by the OAM Server durin
This is fixed.
Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
11.1.1.5.3 12812506 Resolves an issue that prevented global login and logout from working with various agent types
Manager 11.1.1.5.0.
This is fixed.
11.1.1.5.3 13587714 Resolves an issue that prevented multi-value attributes defined in LDAP from being returned by
11.1.1.5.1.
This is fixed.
11.1.1.5.3 13491476 Resolves an issue that prevented users from logging in with a new session by destroying existin
sessions allowed per user was set to 1, and if user logged in from a new brower without first log
limit reached error message was displayed.
This is fixed. Users can now log in with a new session by destroying existing session.
11.1.1.5.3 13485001 Resolves an issue that occurred using the Access SDK API to authenticate against a resource us
error was displayed
This is fixed.
11.1.1.5.3 13427676 Resolves an issue that occurred with the integration of Oracle Access Manager and Oracle Ident
an OAM-2 error message (incorrect Username or Password), when a user was disabled. The me
This is fixed. In this situation, Oracle Access Manager sends an OAM-5 error message. For more
Administrator's Guide for Oracle Access Manager with Oracle Security Token Service: Table 8-3 i
and recommended messages.
11.1.1.5.3 13372581 Resolves an issue that caused Windows Native Authentication to fail on AIX with the IBM JDK.
This is fixed. The keytabfile format that was documented does not work for IBM JDK. The manu
See Also: Bug 13521519 in Section 9, "Documentation Issues Resolved in This Bundle Patch"
11.1.1.5.3 13368316 Resolves an issue that occurred because the Content-Length and Content-Type headers were no
/obrareq.cgi?wh..." request when length of the message exceeded 1980 characters.
This is fixed. The Content-Length and Content-Type headers are now added to the POST respon
11.1.1.5.3 13025450 Resolves an issue with low file upload limits for custom plug-ins. The following message appear
uploading a custom plug-in JAR file:
Warning: The file upload failed. The file could not be uploaded because
This is fixed.
11.1.1.5.3 13019689 Resolves an issue that prevented Oracle Access Manager from asserting the requsted URL to an
This is fixed. Oracle Access Manager now asserts the requested resource as "resource_url" quer
11.1.1.5.3 13720048 See:
Oracle Access Manager Webgate Release Notes, described in Section 3.2, "Patch Set Notes and
11.1.1.5.2 13368820 Adds an authentication plug-in Pause state to support multi-factor authentication.
The Pause state enables an authentication plug-in to suspend execution and request additional
credentials are obtained, authentication resumes from the point at which it paused.
On successful execution of authentication plug-ins, based on the orchestration strategy, the use
Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
resource is granted.
See Also: Section 9, "Documentation Issues Resolved in This Bundle Patch" for updated plug-in
11.1.1.5.2 13395921 Resolves a Trusted Authentication Protocol (TAP) related issue that occurred when integrating O
Management.
11.1.1.5.2 13359259 Resolves an issue that caused cookie responses in the mod_osso partner authentication policy t
11.1.1.5.2 13257575 Resolved an issue that occurred when using a javascript-disabled browser. User logout did not r
This was fixed by removing some javascript reliance from the Oracle Access Manager logout pro
11g Agent logout URL callbacks are required, logging out terminates the user's session and redi
11.1.1.5.2 13254371 Resolves an issue that occurred when a user of a javascript-disabled browser failed to login. The
failure_url.
This was fixed by removing some reliance on javascript for browser redirects. Oracle Access Man
operation does not specify a requirement for javascript-POST redirect.
11.1.1.5.2 13097306 Resolves an issue in Oracle Access Manager and Oracle Identity Manager integration where disa
in Oracle Access Manager SSO login page.
11.1.1.5.2 13063981 Resolves an issue that occurred after upgrading from 10.1.2.3 OSSO. The problem prevented lo
11.1.1.5.2 13009705 Supports enhanced Trust Model using the Oracle Access Manager Identity Assertion Provider wit
This fix enables the IAP to determine which user to compare to the one specified in OAM_REMO
11.1.1.5.2 12991529 Resolves an issue that caused 10g Webgate to send a lengthy GET request instead of POST. You
Schemes "SwitchGetToPostLimit". Include a positive integer value to define the size of the
When data size exceeds this value, Oracle Access Manager performs a javascript POST-style red
This is fixed when you include the following challenge parameter in the authentication scheme:
Challenge Parameter: SwitchGetToPostLimit=100
11.1.1.5.2 12984774 Resolves an issue that caused user authentication failure because of blocked LDAP reads.
11.1.1.5.2 12963048 Resolves an issue that caused session-store throughput to drop significantly when the in-memor
11.1.1.5.2 12941428 Resolves an intermittent issue that caused login page to take a long time (up to 20 seconds) to
11.1.1.5.2 12936965 Resolves an issue where access to Web resources protected using "/.../" as a pattern are not pr
11.1.1.5.2 12932142 Resolves an issue that prevented custom plug-in activation and displayed a checksum validation
This is fixed by clicking the Refresh button after every operation. For example, Distribute, Refres
11.1.1.5.2 12916982 Resolves an issue that occurred when a hyphen character was used in URLs while editing mod-o
This fix enables Oracle Access Manager Console support of hyphen characters in URLs while edi
11.1.1.5.2 12910340 Resolves an issue that occurred when installing Oracle HTTP Server 11g on AIX in Simple (or Ce
This fix enables support for Cert Security Mode, which can be used instead of Simple mode.
11.1.1.5.2 12867612 Resolves an issue that prevented successful logout when two applications were opened in differ
11.1.1.5.2 12821366 Enhances the remote registration tool to enable policy response creation.
This is fixed in the CreatePolicyRequest.xml form in the /ORACLE_HOME/oam/server/rreg/client
The <successResponseList> element enables you to specify individual <successResponse> para
specific Response name, Response type (Cookie, Session, or Header), and Success Response va
Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
<name>MyResponse</name>
<type>Session</type>
<value>333</value>
11.1.1.5.2 12722672 Resolves an issue with locked account status with the Oracle Identity Management/Oracle Acces
With this fix, the proper account attribute will be updated on failed login attempts.
11.1.1.5.2 12716214 Resolves an issue with Simple Security Mode connection support on Solaris with the SunPKCS11
This is fixed for deployments with 10g NSAPI Webgate.
11.1.1.5.2 12704115 Resolves a Single Sign-on failure for URLs protected with an IIS Webgate 10g. An error page wa
This fix fetches the protocol, host, and port from the Agent registration when the received URL
11.1.1.5.2 12685834 Resolves rejection of a Redirect URL string that included a hyphen character in a Webgate regis
This fix now enables acceptance of a Redirect URL string that includes a hyphen character.
11.1.1.5.2 12578130 Resolves an issue that prevented using a hyphen character in OAM Server names within config.s
"Invalid name ..." error.
This fix enables you to edit config.sh to create an OAM Server with a name containing a hyphen
11.1.1.5.2 11687976 Adds an enhancement that allows the TCP timeout value to be configured.
11.1.1.5.2 9751627
Resolves Access Tester issue that allowed connecting to the OAM Server even after the timeout
11.1.1.5.2 112716214 Resolves an issue with Simple Security Mode connection support on Solaris with the SunPKCS11
10g NSAPI Webgate.
11.1.1.5.1 12723434 Resolves an issue that occurred using Webgate 10g with OAM 11g. If a resource protected by th
contain URL encoded parameters, these characters are decoded.
This is fixed; encoded characters are not decoded.
11.1.1.5.1 12838976 Resolves an issue that prevented the LDAP plugin filter from identifying parameters based on re
The LDAP plugin filter now identifies parameters from the credential parameter map and reques
Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
11.1.1.5.1 12690914 Resolves an issue where the 11g Webgate registration page did not work because of new Webg
10g and 11g Webgate: ipValidationExceptions and AllowManagementOperations
10g Webgate: managedServerUrl
This is fixed.
11.1.1.5.1 12747693 Resolves an issue that occurred when Oracle Access Manager 11g used Oracle Virtual Directory
stored in Oracle Internet Directory. In both cases, the OAM Server's JVM requires direct access t
successful, OAM searches the user repository for additional user attributes.
With Oracle Virtual Directory as the primary registry with Oracle Internet Directory as the backe
If a user is logged in to Active Directory domain and the user is present in OVD/OID, acce
If the user is not present in OVD/OID, access to OAM-protected resource is denied. The O
authentication is unsuccessful when the user is not present in OVD/OID.
Note: When the user is not present in OVD/OID, the previous Oracle Access Manager release (1
even though access to the protected resource is denied.
This is fixed in this release.
11.1.1.5.1 12690463 Resolves an issue that prevented Oracle Identity Federation schema policy object modifications
the Oracle Identity Federation scheme was updated; everything else remained the same.
This is fixed.
11.1.1.5.1 12688879 Login performance improvements have been made available with this release.
11.1.1.5.1 12646546 Resolves an issue with OSSO 'Paranoid' mode where OSSO-COOKIE_TIMESTAMP cookie set by O
timestamp.
This is fixed in this release.
11.1.1.5.1 12641759 Resolves an issue that caused the OSSO Agent (and other partners) to migrate improperly.
This is fixed.
11.1.1.5.1 12631787 Resolves impersonation consent failure with an Oracle Adaptive Access Manager-protected resou
This is fixed in this release.
11.1.1.5.1 12631721 Resolves an issue with the NAP library, which might not process long messages (greater than 3K
latency for instance).
This is fixed in this release; the library can now handle long messages. Although, using Access T
Tester to display a partial message but does not impact normal behavior of the tool.
11.1.1.5.1 12601409 Resolves editorial issues with migration utility strings.
This is fixed. When running the migration utility, strings displayed in the console are correct.
11.1.1.5.1 12591938 Resolves issues in a high-availability installation with managed servers on different servers. The
the Oracle Access Manager Console.
This is fixed.
11.1.1.5.1 12588136 Resolves issues accessing protected resources with query strings within an Oracle Identity Mana
environment.
Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
11.1.1.5.1 12576767 Resolves an issue that occurred after enabling OSTS and performing configuration updates. The
error:
java.util.Date cannot be cast to java.lang.String
This is fixed.
11.1.1.5.1 12573315 Resolves an issue where the requested URL was not captured and forwarded to the Success UR
This is fixed.
11.1.1.5.1 12551922 Resolves an issue where the registerThirdPartyTAPPartner did not work if the tapRedirectUrl was
TAP represents Trusted Authentication Protocol.
This is fixed.
11.1.1.5.1 12545547 Resolves an integrated environment issue with Oracle Identity Manager, Oracle Access Manager,
when logging in to Oracle Identity Manager through Oracle Access Manager, and Oracle Adaptiv
This is fixed.
11.1.1.5.1 12538294 Resolves an integrated environment issue with Oracle Identity Manager, Oracle Access Manager,
when the user's uid is different from the cn, because the TAP scheme (Trusted Authentication P
Attribute for the identity store.
This is fixed. The fix makes the attribute used by the TAP scheme configurable: for example, the
Attribute as the uid.
11.1.1.5.1 12529649 Resolves impersonation failure that occurred if the end impersonation URL is set as http://<
/impersonate/end?userid=<impersontee>&end_url="<xyz>". Server expected a success_url an
This is fixed.
11.1.1.5.1 12434387 Resolves an issue with the Help link in the Oracle Access Manager Console, which displayed help
This is fixed. New Help is provided for this release.
11.1.1.5.1 12433297 Resolves an issue with the second encryption password validation prompt following migration.
This is fixed.
11.1.1.5.1 12433283 Resolves an issue with migration utility logging.
This is fixed. Logs are generated with all information included.
11.1.1.5.1 12433268 Resolves an issue that prevented success or failure messages from displaying after running the
This is fixed.
11.1.1.5.1 12427438 Resolves an incorrect message code. When the user account is locked because the user exceed
MaxRetryLimit parameter in oam-config.xml), Oracle Access Manager returned the OAM-2 code
user account is locked or disabled).
This is fixed.
11.1.1.5.1 12424280 Added capability to OAM Server to generate JKS keystores that can be used for PJASDK in SIMP
Keystores generated:
Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
oamclient-truststore.jks (Keystore with OAM CA)
oamclient-keystore.jks (keystore with private key and signed certificate)
The keystores are generated under $Domain Home/output/webgate-ssl. The password to these
To generate the keystores, you must update the global passphrase from Oracle Access Manager
passphrase, use the WLST command displaySimpleModeGlobalPassphrase()
11.1.1.5.1 12423833 Resolves an integrated environment issue with Oracle Identity Manager, Oracle Access Manager,
settings were not migrated.
This is fixed.
11.1.1.5.1 12420940 Resolves an OSSO upgrade issue. The HTTP protocol was not obtained from oam-config.xml dur
This is fixed. The upgraded mod_osso partner has a valid SSL URL.
11.1.1.5.1 12416670 Resolves a failure during a transition from test to production (source to target environment) on
This is fixed.
11.1.1.5.1 12413677 Resolves an issue in the IAMSuite Application domain. A blank search of resources could take m
This fix reduces the search return time to seconds.
11.1.1.5.1 12401705 Resolves remote registration tool (oamreg) failure related to a hard-coded value for OAM_REG_
This is fixed and the tool can replace OAM_REG_HOME with your entire path.
11.1.1.5.1 12396357 Reduces the amount of log records generated by OAM server in a successful resource access (w
11.1.1.5.1 12390907 Resolves a issue during migration where identity store settings were not properly migrated.
This is fixed.
11.1.1.5.1 11902502 Resolved an issue that occurred when the password expired. This is fixed in this release.
See Also: "Details of Fix for Bug 11902502".
11.1.1.5.1 10094601 Resolves a issue that caused Server start up failure when the AdminServer is configured for Virt
server. "Server not authorized" messages were logged as the cause.
This is fixed.
11.1.1.5.1 12548635 See: The Oracle Access Manager Webgate Release Notes Bundle Patch 11g (11.1.1.5.1) Linux,
12400853 Operating Systems for issues resolved for Webgates delivered with Oracle Access Manager Bund
Table 8 Added External Error Codes, Trigger Conditions, and Recommended Messages
External Error
Code
Trigger Condition
OAM-10
Password expired.
Description
10394298 The Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token S
note that the Open Common Properties item on the Actions menu is disabled. An exception occurs when you
first time.
The item in Table 3-6 System Configuration, Actions Menu, Command Descriptions should read as follows:
Open Common Properties
Disabled in this release. Replaced by Common Settings in the Common Configuration section of the System
13090141 The Oracle Fusion Middleware Third-Party Application Server Guide section "Configuring SSO Logout for OAM
WebSphere" states that LTPAToken cookies need to be deleted by client javascript in logout.html and gives t
javascript function delOblixCookie().
Correction: A note will be added as follows.
Note: If the cookie property "httponly" is set to "true" by users for security considerations, javascript cannot
cookies and SSO logout will not work.
13521519 The Oracle Fusion Middleware Integration Guide for Oracle Access Manager section "Set Up the Kerberos Au
Module..." (under "Configuring Oracle Access Manager for WNA") specified the wrong format for IBM JDK.
Correction: A note will be added as follows.
Note: The format specified in steps detailing changes in oam-config.xml does not work with the IBM JDK. Fo
keytabfile entry should use the following format
Bug
Description
12774777 The Oracle Fusion Middleware Integration Guide for Oracle Access Manager chapter "Configuring Oracle Acc
WNA" incorrectly mentions oam-policy.xml file.
Correction: oam-config.xml
13323608 The topic "Deleting an OSSO Agent (mod_osso) Registration", in the Oracle Fusion Middleware Administrato
Access Manager with Oracle Security Token Service has been updated to include the following information.
Note: Deleting an agent registration removes only the registration (not the associated host identifier, applica
resources, or the agent instance itself), which prevents registering the same agent again if required. Howev
Application Domain and its content removes all referenced objects including the Agent registration.
The topic "Deleting an Application Domain and Its Content" now includes the following information:
Deleting the Application Domain and its content removes all referenced objects, including the Agent registra
method, if you later need to re-register the same Agent, you can because there are no remaining references
Application Domain and its content.
13552000 Table 13-9, Namespace Request Variables for Single Sign-On, in the Oracle Fusion Middleware Administrator
Access Manager with Oracle Security Token Service incorrectly states res_policy as one of the variables asso
Namespace that should be returned.
In the next version of the book, policy_name will replace res_policy as the correct Namespace request varia
Sign-On.
n/a
Plugin naming guidelines and the following task overview are missing from the Oracle Fusion Middleware De
Oracle Access Manager and Oracle Security Token Service topic "About Creating Custom Authentication Mod
See Also: "Adding Custom Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Access Ma
Security Token Service.
Custom Plug-in Naming Guidelines
When you regenerate the custom authentication module, consider the following naming requirements:
The new plug-in name must be included in the xml file and the manifest.
A period ( . ) is not a valid character in the plugin name.
To modify an existing authentication plug-in used in an authentication step or module
1. Regenerate the plug-in with a different name that includes a version identifier based on plug-in namin
example: <plugin_name>_v1.jar.
2. Log in to the Oracle Access Manager Console, as usual.
3. From the System Configuration tab, Common Configuration section, click Plugins; from the Actions me
4. Perform the following steps:
Import new plug-in <plugin_name>_v1.jar.
Distribute the new plug-in <plugin_name>_v1.jar.
Activate the new plug-in <plugin_name>_v1.jar.
5. Expand the Plugin Details section, click Configuration Parameters, and enter appropriate information a
In the new <plugin_name>_v1, create steps similar to those in the old plug-in and orchestrate
needed.
Edit custom authentication modules that used the older plug-in <plugin_name> to ensure that
<plugin_name>_v1.
6. Optional: Deactivate and remove the original plug-in JAR file from your deployment.
See Also:
Oracle Access Manager Webgate Release Notes Bundle Patch 11g (11.1.1.5.5)
Linux, Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC
Operating Systems
Note:
To remain in an Oracle-supported state, Oracle recommends that you apply the
bundle patch to all installed components for which packages are provided.
Oracle Access Manager Release Notes for Bundle Patch 11.1.1.5.7 Generic
Copyright 2000, 2014 Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws. Except as
expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce,
translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any
part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this
software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be
error-free. If you find any errors, please report them to us in writing.
If this software or related documentation is delivered to the U.S. Government or anyone licensing it
on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and
technical data delivered to U.S. Government customers are "commercial computer software" or
"commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agencyspecific supplemental regulations. As such, the use, duplication, disclosure, modification, and
adaptation shall be subject to the restrictions and license terms set forth in the applicable
Government contract, and, to the extent applicable by the terms of the Government contract, the
additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December
2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
This software is developed for general use in a variety of information management applications. It is
not developed or intended for use in any inherently dangerous applications, including applications
which may create a risk of personal injury. If you use this software in dangerous applications, then
you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to
ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any
damages caused by use of this software in dangerous applications.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be
trademarks of their respective owners.
This software and documentation may provide access to or information on content, products, and
services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly
disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle
Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to
your access to or use of third-party content, products, or services.