Oracle Access Manager with Oracle Security Token Service

Release Notes
Bundle Patch 11.1.1.5.7 Generic

Oracle Access Manager with Oracle Security Token

Service
Release Notes
Bundle Patch 11.1.1.5.7 Generic
October 2014
This document describes the bug fixes that are included with Bundle Patch 11.1.1.5.7. This bundle
patch requires a base installation of Oracle Access Manager 11g Release 1 (11.1.1) with Oracle
Security Token Service.

See Also:
Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux,
Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating
Systems described in Section 3.2, "Patch Set Notes and Bundle Patch Notes"

This document supersedes the documentation that accompanies Oracle Access Manager 11g Release
1 (11.1.1), and earlier documents if any. This document contains the following sections:
Section 1, "Documentation Accessibility"
Section 2, "Bundle Patch Overview"
Section 3, "Documentation"
Section 4, "Bundle Patch Requirements"
Section 5, "Before You Install This Bundle Patch"
Section 6, "Bundle Patch Installation and Removal"
Section 7, "Known Issues"
Section 8, "Fixes Included in This Cumulative Bundle Patch"
Section 9, "Documentation Issues Resolved in This Bundle Patch"

Section 10, "Components Included with this Bundle Patch"

1 Documentation Accessibility
Our goal is to make Oracle products, services, and supporting documentation accessible to all users,
including users that are disabled. To that end, our documentation includes features that make
information available to users of assistive technology. This documentation is available in HTML
format, and contains markup to facilitate access by the disabled community. Accessibility standards
will continue to evolve over time, and Oracle is actively engaged with other market-leading
technology vendors to address technical obstacles so that our documentation can be accessible to all
of our customers. For more information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/.
Accessibility of Code Examples in Documentation
Screen readers may not always correctly read the code examples in this document. The conventions
for writing code require that closing braces should appear on an otherwise empty line; however,
some screen readers may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation
This documentation may contain links to Web sites of other companies or organizations that Oracle
does not own or control. Oracle neither evaluates nor makes any representations regarding the
accessibility of these Web sites.
Deaf/Hard of Hearing Access to Oracle Support Services
To reach Oracle Support Services, use a telecommunications relay service (TRS) to call Oracle
Support at 1.800.223.1711. An Oracle Support Services engineer will handle technical issues and
provide customer support according to the Oracle service request process. Information about TRS is
available at http://www.fcc.gov/cgb/consumerfacts/trs.html, and a list of phone numbers
is available at http://www.fcc.gov/cgb/dro/trsphonebk.html.

2 Bundle Patch Overview

This bundle patch must be applied to Oracle Access Manager 11g components.
Following topics provide an overview of bundle patches:
Section 2.1, "Bundle Patch Introduction"
Section 2.2, "Bundle Patch Baseline Packages"
Section 2.3, "Bundle Patch Package Names"

2.1 Bundle Patch Introduction

A bundle patch is an official Oracle patch for Oracle Access Manager components on baseline
platforms. Each bundle patch includes the libraries and files that have been rebuilt to implement one
or more fixes. All of the fixes in the bundle patch have been tested and are certified to work with
one another. Regression testing has also been performed to ensure backward compatibility with all
Oracle Access Manager components in the bundle patch, and earlier WebGates.
Each bundle patch is cumulative: the latest bundle patch includes all fixes in earlier bundle patches
for the same release and platform. Fixes delivered in bundle patches are rolled into the next release.
Bundle patches are released on a regular basis and are available on My Oracle Support (formerly
Oracle MetaLink). A knowledge base note, maintained by the Support team, is also available to
provide a list of bundle patches and included packages. Look for Note: 736372.1 on My Oracle
Support at:
http://support.oracle.com

Note:
To remain in an Oracle-supported state, Oracle recommends that you apply the
bundle patch to all installed components for which packages are provided.

Table 1 outlines the differences between a bundle patch and a standard patch set.

Table 1 Bundle Patches versus Patch Sets

Mechanism

Description

Bundle Patch

A bundle patch is an official Oracle patch mechanism for Oracle Access Manager
components on baseline platforms. Each bundle patch includes the libraries and
files that have been rebuilt to implement one or more fixes.
This bundle patch must be applied to Oracle Access Manager 11g Release 1
(11.1.1) components.
See Also: Section 5, "Before You Install This Bundle Patch".

Patch Set

Oracle Access Manager 11g Release 1 (11.1.1) is a patch set and is the required
base for this bundle patch.
A patch set is a mechanism for delivering fully tested and integrated product fixes
that can be applied to installed components of the same release. Patch sets
include all of the fixes available in previous bundle patches for the release. A
patch set can also include new functionality.
All of the fixes in the patch set have been tested and are certified to work with
one another on the specified platforms.
Each patch set provides the libraries and files that have been rebuilt to
implement bug fixes (and new functions, if any). However, a patch set might not

Mechanism

Description
be a complete software distribution and might not include packages for every
component on every platform.

2.2 Bundle Patch Baseline Packages

Oracle Access Manager Bundle Patch 11.1.1.5.7 provides a generic package for all supported OAM
Servers.

See Also:
Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux,
Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating
Systems

2.3 Bundle Patch Package Names

Oracle Access Manager bundle patch releases are distributed in individual platform-specific bundles
(zip files) that are numbered for release. Oracle Access Manager bundle patch zip file names might
contain some, all or none of the following variables.
A base release refers to the required component release base; for this bundle patch series the
release base is 11.1.1.5.

A BPnn is the short name for a specific bundle patch release. Bundle patch 7 (BP07, for
example,) is also known as release 11.1.1.5.7, the base release followied by the bundle patch
number.
A component might refer to a specific Oracle Access Manager component, such as OAM Server
or a specific Webgate.

Webserver is the Web server identifier for a Webgate

LINUX, WINDOWS or other operating system platform might be defined.
Table 2 lists sample package names. Note these are sample package names; not all bundle patch
release packages follow the same naming conventions.

Table 2 Bundle Patch Package Name Examples

Bundle
Patch

Example

Bundle
Patch
OAM Server

11g Agents

Example
p17184828_111157_LINUX.zip
Oracle_Access_Manager_11_1_1_5_7_BP07_generic_server_components.zip
Convention
Oracle_Access_Manager_11_1_1_5_7_BPnn_Webserver_Webgate.zip
Example
Oracle_Access_Manager_11_1_1_5_7_BP07_OHS_Webgate.zip

OAM Identity
Assertion
Provider

Convention
oamAuthnProvider
Example
oracle.oamprovider_11.1.1/oamAuthnProvider.jar

3 Documentation
This section describes the documentation that is available to support the latest bundle patch and the
original release. This section provides the following topics:
Section 3.1, "Oracle Access Manager Manuals and Release Notes"
Section 3.2, "Patch Set Notes and Bundle Patch Notes"
Section 3.3, "Certification Documentation"

3.1 Oracle Access Manager Manuals and Release Notes

You can find release notes and manuals on Oracle Technology Network (OTN). If you already have a
user name and password for OTN, you can go directly to the documentation section of the OTN Web
site at:
http://www.oracle.com/technetwork/indexes/documentation/index.html

Oracle Access Manager 11g is documented in the following manuals:

Oracle Access Manager chapter of the Oracle Fusion Middleware Release Notes 11g Release 1
(11.1.1).
Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle
Security Token Service.
Oracle Fusion Middleware Integration Guide for Oracle Access Manager.
Oracle Fusion Middleware Upgrade Planning Guide.
Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.
Oracle Fusion Middleware Upgrade Guide for Java EE.
Oracle Fusion Middleware Administrator's Guide.
Oracle Fusion Middleware Application Security Guide
Oracle Application Server Single Sign-On Administrator's Guide.
Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

3.2 Patch Set Notes and Bundle Patch Notes

You can download notes with software patches and bundle patches from My Oracle Support
(formerly MetaLink) at:
http://support.oracle.com

This document, Oracle Access Manager Release Notes for Bundle Patch 11.1.1.5.7 Generic, provides
the following information for this specific bundle patch release:
General information about bundle patches
General bundle patch requirements and installation details
Details about what is included in this bundle patch
This Oracle Access Manager Release Notes for Bundle Patch 11.1.1.5.7 Generic document is
available in HTML format, as readme.htm, which you can view without downloading the zip
file.
The companionOracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux,
Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems provides
the following information for WebGates delivered with Oracle Access Manager Bundle Patch
11.1.1.5.7.
General information about bundle patches

General WebGate bundle patch requirements and installation details

Details about what is included in the WebGate bundle patch
The Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux, Solaris
SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems readme
file is available in PDF format within the bundle patch distribution zip file (see readme.pdf). An
HTML version, readme.htm, that you can view without downloading the zip file is also
available.

3.3 Certification Documentation

Table 3 provides the sites where you can find certified support information and installation packages.

Table 3 OAM Certification Documentation, Installers, and Readme

To find the
...
Certification
Matrix

Go to ..

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certificati

Oracle Fusion http://www.oracle.com/technology/software/products/ias/files/fusion_requireme

Middleware
Requirements
Oracle Fusion http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_d
Middleware
Downloads
http://www.oracle.com/technetwork/middleware/id-mgmt/oid-11g-161194.html
Oracle
Identity and
Access
Management
and Webgate
(11.1.1.5.0)
Downloads
Additional
(non
OHS11g)
Webgates

See the Oracle Identity Management 10g downloads page, Oracle Access Manager 10g - non OHS11g W
Party Integrations section.
http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html

4 Bundle Patch Requirements

Requirements for this bundle patch are discussed in the following topics:
Section 4.1, "Base Release for Bundle Patch 11.1.1.5.7"

Section 4.2, "Bundle Patch Recommendations"

4.1 Base Release for Bundle Patch 11.1.1.5.7

This is the OAM Server bundle patch. Oracle Access Manager 11g Release 1 (11.1.1.5.x), is the
required base for Bundle Patch 11.1.1.5.7.

Note:
If you have already installed an 11.1.1.5.x Bundle Patch, you can install Bundle
Patch 11.1.1.5.7 on top of it.

See Also:
Table 3 for details about the certification matrix, installer packages, and
readme files
Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for
Linux, Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP
PA-RISC Operating Systems

4.2 Bundle Patch Recommendations

Oracle recommends that you apply the latest bundle patch to all installed components included with
the bundle patch.
Oracle also recommends that OAM Server components be at the same (or higher) bundle patch level
as the installed 11g WebGate. If a WebGate bundle patch is provided, Oracle recommends that you
apply it as described in Table 4.

See Also:
Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux,
Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating
Systems

Table 4 Bundle Patches and Webgates

If you have ...

Perform Following Steps ...

11g Release 1 (11.1.1.5.0)

Webgates

Apply a WebGate bundle patch:

See the companion document: Oracle Access Manager Webgate Bundle

If you have ...

Perform Following Steps ...

Patch 11.1.1.5.6 Release Notes for Linux, Solaris SPARC, Solaris X64,
Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems.
Earlier Webgates

Deploy an 11g Release 1 (11.1.1) Webgate with a full installer

package
1. Remove the earlier WebGate (or AccessGate) using instructions in
the earlier Oracle Access Manager Installation Guide.
2. Install the 11g WebGate using all specifications for the earlier
WebGate and steps in the Oracle Fusion Middleware Installation
Guide for Oracle Identity Management.
3. Apply this bundle patch as described in the companion document:
Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release
Notes for Linux, Solaris SPARC, Solaris X64, Windows, HP-Itanium,
AIX, and HP PA-RISC Operating Systems.

Note:
Oracle Access Manager Server 11.1.1.5.6 has been tested with the WebGate MLR
17184828 patch applied on top of the OAM WebGate Bundle Patch 11.1.1.5.5. It is
recommended to apply this WebGate MLR patch which contains the well tested,
important WebGate fixes.

5 Before You Install This Bundle Patch

Before installing this bundle patch, Oracle recommends that you review this section and follow these
instructions carefully:
Ensure that your system configuration is at the appropriate level:
Oracle Access Manager 11g Release 1 (11.1.1)
Supported Operating System
Supported Web server release and type
Confirm that any currently installed bundle patch level is lower than the one you intend to
install.
For example, you can install Bundle Patch 11.1.1.5.7 on top of 11.1.1.5.5 but you cannot
install 11.1.1.5.5 over Bundle Patch 11.1.1.5.7.
There is no need to remove an earlier bundle patch before installing a later one.

Note:
If your system configuration does not meet support requirements, or if you are not
certain that your system configuration meets these requirements, Oracle
recommends that you log an Service Request to get assistance with this bundle
patch. Oracle Support will make a determination about whether you should apply
this bundle patch or not.

6 Bundle Patch Installation and Removal

This section contains the following topics to guide you as you prepare and install the bundle patch
files (or as you remove a bundle patch should you need to revert to your original installation):
Section 6.1, "Preparing the Environment and Downloading the Bundle Patch"
Section 6.2, "Installing a Bundle Patch on Any Platform"
Section 6.3, "Using Automation Scripts for Post-Installation Tasks"
Section 6.4, "Failure During Bundle Patch Application"
Section 6.5, "Performing Post-Patch Tasks for Integration between Oracle Identity Federation
and Oracle Access Manager"
Section 6.6, "Rolling Back a Bundle Patch on Any System"

Note:
Oracle recommends that you always install the latest bundle patch.

6.1 Preparing the Environment and Downloading the Bundle

Patch
This section introduces the Oracle patch mechanism (Opatch) and requirements that must be met
before applying the bundle patch. Opatch is a Java-based utility that runs on all supported operating
systems and requires installation of the Oracle Universal Installer.

Note:
Oracle recommends that you have the latest version of Opatch from My Oracle
Support (formerly Oracle MetaLink). Opatch requires access to a valid Oracle
Universal Installer (OUI) Inventory to apply patches.

The patching process uses both unzip and Opatch executables. After sourcing the ORACLE_HOME
environment, Oracle recommends that you confirm that both of these exist before patching.
Perform steps in the following procedure to prepare your environment and download the bundle
patch. Due to formatting constraints in this document, some sample text lines wrap around. These
line wraps should be ignored.

Note:
Ignore line wrapping in syntax examples and ignore steps that do not apply to your
environment.

See Also:

Oracle Universal Installer and OPatch User's Guide at

http://download.oracle.com/docs/cd/E14571_01/doc.1111/e16793/toc.htm

Oracle Access Manager Webgate Bundle Patch 11.1.1.5.6 Release Notes for Linux, Solaris
SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems

Ignore steps that do not apply to your environment. Steps that relate to only a specific condition are
identified with a bold condition.

Note:
Step 1 is relevant only after an in-place upgrade from Oracle Access Manager
11.1.1.3.0 to 11.1.1.5.0. Artifacts introduced in 11.1.1.5.0 for Oracle Security Token
Service will be missing in your $DOMAIN_HOME.

To prepare your environment and download the bundle patch

1. Enabling Oracle Security Token Service: If this bundle patch will be applied in an
environment that was upgraded to 11.1.1.5.0 (not a new 11.1.1.5.0 installation), the following
steps might be required and might not have been present in the upgrade instructions on My
Oracle Support at the time of the upgrade:
a. Copy the following from their $ORACLE_HOME locations to $DOMAIN_HOME locations:
$ORACLE_HOME/oam/server/config/amcrl.jar
TO $DOMAIN_HOME/config/fmwconfig

$ORACLE_HOME/oam/server/lib/jmx
TO $DOMAIN_HOME/config/fmwconfig/mbeans/oam
$ORACLE_HOME/oam/server/config/mbeans/*.xml
TO $DOMAIN_HOME/config/fmwconfig/mbeans

b. Edit the Linux setDomainEnv.sh or Windows setDomainEnv.cmd file to update the

PRE_CLASSPATH to include sts-policies.jar, as follows:
Linux: Go to $DOMAIN_HOME/bin/setDomainEnv.sh and manually update it to include
the following:

PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${OAM_ORACLE_HOME}/server/policy/

Windows: Go to DOMAIN_HOME\bin\setDomainEnv.cmd and manually update it to

include the following:

set PRE_CLASSPATH=%PRE_CLASSPATH%;%OAM_ORACLE_HOME%\server\policy\sts-policies.

2. Download Opatch 11.1.x (version 11.1.0.8.3 or higher is required), if needed:

Note:
To learn the Opatch version, use opatch -help. If Opatch is earlier than
11.1.0.8.3, you must download the latest 11.1.x version. However, do not
download Opatch 11.2.

a. Log in to My Oracle Support:

https://support.oracle.com/

b. Review the following notes before installing Opatch:

Note 224346.1: Opatch - Where Can I Find the Latest Version of Opatch? and, in the
document, click the Patch 6880880 link which takes you to the screen where you can
obtain the latest version of OPatch based on release versions and platforms.
Note 1051266.1: How To Install a WebCenter 11g Patch?
3. Confirm the required executables are in your system PATH, and add these if needed:
which opatch
which unzip

4. Verify the OUI Inventory using the following command:

opatch lsinventory

Window 64-bit: opatch lsinventory -jdk c:\jdk160

If an error occurs, contact Oracle Support to validate and verify the inventory setup before
proceeding. If the ORACLE_HOME does not appear, it might be missing from the Central
Inventory, or the Central Inventory itself could be missing or corrupted.
5. Confirm that $ORACLE_HOME is pointing to the correct location ($MW_HOME/Oracle_IDM1)
and change this if needed.
6. On the computer that will host the bundle patch files, create a directory to store the unzipped
patch (referenced later as PATCH_TOP). For example:
Linux: /home/11.1.1.5.7/tmp
Solaris: /opt/11.1.1.5.7/tmp
Windows: C:\11.1.1.5.7\tmp
7. Retrieve the Bundle Patch:
a. From My Oracle Support, click the Patches & Updates link.
b. Enter the Patch ID or Number, then click Search to display a Patch Search Results
table.
c. Using the Release and Platform columns, find the desired patch, then click the
associated Patch ID.
d. Download: In the page that appears, click the Download button to retrieve the
packages.
8. Unzip the patch zip file into the PATCH_TOP directory you created earlier. For example:
unzip -d PATCH_TOP p19730928_111150_Generic.zip

9. On OAM Servers, move RREG.TAR and the/ rreg folder from the client and storing it in a
different location. For example:
From: $ORACLE_HOME/oam/server/rreg/client/rreg/
To: $ORACLE_HOME/backup/oam/server/rreg/client/rreg
10. Proceed to Section 6.2, "Installing a Bundle Patch on Any Platform":

6.2 Installing a Bundle Patch on Any Platform

This section describes how to install components in the bundle patch on any platform using Oracle
patch (Opatch). While individual command syntax might differ depending on your platform, the
overall procedure is the same.
The files in each bundle patch are installed into the destination $ORACLE_HOME. This enables you to

remove (roll back) the bundle patch even if you have deleted the original bundle patch files from the
temporary directory you created.
Oracle recommends that you back up the $ORACLE_HOME using your preferred method before any
patch operation. You can use any method (zip, cp -r, tar, and cpio) to compress the $ORACLE_HOME.
When Opatch starts, it validates the patch to ensure there are no conflicts with the software already
installed in your $ORACLE_HOME:
Conflicts with a patch already applied to the $ORACLE_HOME. In this case, stop the patch
installation and contact Oracle Support Services.
Conflicts with subset patch already applied to the $ORACLE_HOME. In this case, continue
installation because the new patch contains all the fixes from the existing patch in the
$ORACLE_HOME. The subset patch is automatically rolled back before installation of the new
patch begins.
This patch is not -auto flag enabled. Table 5 describes the Opatch application mode. The following
procedure provides steps.

Table 5 Opatch Application Modes

Mode

Description

opatch apply

Without the -auto flag:

No servers need to be running.

To install a bundle patch

1. Complete all activities in Section 6.1, "Preparing the Environment and Downloading the Bundle
Patch".
2. Log in as the same user who installed the base product and:
a. Stop the AdminServer and all OAM Servers to which you will apply this bundle patch,
and any application that uses this component.
OAM-protected servers will not be accessible.
b. Back up your $ORACLE_HOME.
c. Move the backup directory to another location and record this so you can locate it later,
if needed.
3. Change to the directory where the patch is located. For example:

cd PATCH_TOP/19730928

4. Run the appropriate Opatch command as an administrator to ensure the required permissions
are granted to update the central inventory and apply the patch to your $ORACLE_HOME:
opatch apply

Window 64-bit: opatch apply -jdk c:\jdk160

Note:
Opatch operates on one instance at a time. If you have multiple instances,
you must repeat these steps for each instance.

5. Multiple Instances: Repeat Steps 1-5 to apply the bundle patch to each instance throughout
your installation.
6. Continue with Section 6.3, "Using Automation Scripts for Post-Installation Tasks".

6.3 Using Automation Scripts for Post-Installation Tasks

Bundle patches include an updated version of the Oracle Access Manager 11g configuration file:
oam-config.xml.
The domainAutomation.sh and domainAutomation.bat files available with this bundle patch
have been modified to handle backuping files, copying files, starting AdminServer, and running the
patchUpgrade command. Only one command is required when upgrading the domain. The
domainAutomation script will start AdminServer to upgrade the oam-config.xml file and then shut
AdminServer down once the upgrade is done.
The domainAutomation scripts cannot be called directly by Opatch because:
Each script starts AdminServer to run the patchUpgrade command online.
Before installing a new patch, Opatch removes the previously installed patch.
Required: When running the domainAutomation script, you must include the following information:
-u <username> is the username that connect's WLST to the AdminServer
-p <password> is the password that connect's WLST to the AdminServer
-l <url> is the listen address and non-SSL listen port of the AdminServer
with format host:port (localhost:7001, for example).
Optional:

-t <WLS_MAX_TRIES> ... the number of times the script attempts to connect to the AdminServer
(default is 15)
-w <WLS_WAIT_TIME> ... the number of seconds between each attempt (default is 10)
Note:
The domainAutomation script starts the AdminServer yet the time needed for the
server to be in the RUNNING state is unknown. These optional parameters
determine how long the script waits before failing if it cannot connect to the server.
By default the waiting time is set to 150 seconds. If this time is not sufficient, it can
be increased trough the -t and -w options.

When the script is successful, the following message is displayed:

*** Domain was successfully patched ***

Log files are generated in the path: $PATCH_TOP/19730928/files/oam/server/scripts

/opatch/logs.
Use the following steps to manually update your oam-config.xml file and retain the earlier version,
whether you have applied an earlier bundle patch or not.
To complete your bundle patch installation
1. Shut down the AdminServer and all OAM Servers.
2. Set environment variables for your deployment, as follows:
Linux:
a. setenv ORACLE_HOME=<oracleHome>
where, for example, <oracleHome> might be /Oracle/Middleware/Oracle_IDM1.
b. setenv DOMAIN_HOME=<domainhome>
where, for example, <domainhome> might be /Oracle/Middleware/user_projects
/domains/base_domain.
Windows:
a. set ORACLE_HOME=<oracleHome>
where, for example, <oracleHome> could be c:\Oracle\Middleware\Oracle_IDM1
b. set DOMAIN_HOME=<domainhome>

where, for example, <domainhome> could be c:\Oracle\Middleware\user_projects

\domains\base_domain
3. Backup your DOMAIN_HOME directory.
4. Change to the directory containing this patch and run the automation script, as follows:
Linux:
a. cd $PATCH_TOP/19730928/files/oam/server/scripts/opatch
b. Add execute permission to the domainAutomation.sh file:
chmod u+x domainAutomation.sh

c. Run ./domainAutomation.sh -i 19730928 -u <username> -p <password> -l

<url>
On Linux platforms, the server is started in the same terminal as the one in which the
domainAutomation script was started.
Windows:
a. cd $PATCH_TOP/19730928/files/oam/server/scripts/opatch
b. Run domainAutomation.bat -i 19730928 -u <username> -p <password> -l
<url>
On Windows platforms, the server is started in a different terminal window named "OAM
Admin Server". This window is minimized and should be closed after the
domainAutomation script is executed.
5. Restart all servers (to take up the new oam-config.xml) and proceed as follows:
Failure: Go to Section 6.4, "Failure During Bundle Patch Application".
Successful: If needed, go to Section 6.5, "Performing Post-Patch Tasks for Integration
between Oracle Identity Federation and Oracle Access Manager".

6.4 Failure During Bundle Patch Application

Should your bundle patch application fail, Oracle recommends that you:
Check the log files in $PATCH_TOP/19730928/files/oam/server/scripts/opatch/logs
See if the cause can be identified, which might include:
Incorrect ORACLE_HOME or DOMAIN_HOME environment variables specified

Incorrect parameters specified when running the domainAutomation script

AdminServer does not start successfully
To recover from a failed bundle patch application
1. Check the logs and confirm that there are no configuration issues with the patrch application.
2. Correct the problem.
3. Shut down the AdminServer and roll back the patch as described in Section 6.6, "Rolling Back
a Bundle Patch on Any System", then perform patch application again.

6.5 Performing Post-Patch Tasks for Integration between

Oracle Identity Federation and Oracle Access Manager
If your Oracle Access Manager deployment includes integration with Oracle Identity Federation, you
must perform the following steps. Otherwise, you can skip this section.
Using the following steps, you will add a new Authentication Scheme, add the scheme to a new
Authentication Policy, and add a new Resource to be protected using the Authentication Policy.

Note:
Use the following steps to manually update your oam-config.xml file and retain the
earlier version, whether you have applied an earlier bundle patch or not.

Prerequisites
Section 6.3, "Using Automation Scripts for Post-Installation Tasks"
To finish patching with this integration
1. Start the AdminServer and OAM Server.
2. Log in to the Oracle Access Manager Console.
3. From the Policy Configuration tab, navigation tree, expand the Shared Components node.
4. Create an Authentication Scheme:
a. Click the Authentication Schemes node, then click the Create button in the tool bar.
b. Fill in the fresh Authentication Scheme page as follows:
Name: TAPResponseOnlyScheme
Description: TAPResponseOnlyScheme

Auth level: 2
Challenge method: DAP
Challenge Redirect URL: /oam/server/
Authentication Module: DAP
Challenge URL: http(s)://thirdpartyhost:port/loginPage
Context Type:
Challenge Parameters:

c. Click Apply to submit the new scheme, dismiss the Confirmation window, then check the
navigation tree for the new scheme.
5. Create anAuthentication Policy:
a. Expand the Application Domains node, then expand the IAMSuite node.
b. Click the Authentication Policies node, then click the Create button in the tool bar.
c. Fill in the fresh Authentication Policy page as follows:
Name: TAP Response Protected Policy
Description: TAP Response Protected Authentication Policy for OAMAgent
Authentication Scheme: TAPResponseOnlyScheme

d. Click Apply to submit the new policy, dismiss the Confirmation window, then check the
navigation tree for the new policy.
6. Create a Resource Definition:
a. In the IAMSuite Application Domain, open the Resources node and click the New
Resource button in the upper-right corner of the Search page.
b. On the Resource Definition page enter the following details:
Type: HTTP
Description: TAP Resource to be asserted against
Host Identifier: IAMSuiteAgent
Resource URL: /oamTAPResponseAssertResource
Protection Level: Protected
Authentication Policy: TAP Response Protected Policy
Authorization Policy: Protected Resource Policy

c. Click Apply to submit the new resource definition, dismiss the Confirmation window,
then close this page.
7. Add Resources to the Authentication Policy:
a. In the IAMSuite Application Domain, open the Authentication Policy TAP Response
Protected Policy.
b. Click the Resources tab on the Authentication Policy page.
c. Click the Add button on the tab.

d. Choose a URL from the list: /oamTAPResponseAssertResource.

e. Repeat these steps as needed to add more resources.
f. Click Apply to submit the changes, dismiss the Confirmation window.
8. Complete your policies in this Application Domain as described in the Oracle Fusion Middleware
Administrator's Guide for Oracle Access Manager with Oracle Security Token Service..

6.6 Rolling Back a Bundle Patch on Any System

The domainAutomationRollback.sh and domainAutomationRollback.bat files have been
added to this bundle patch to restore all the backed up files on Windows and Linux, respectively. The
domainAutomationRollback scripts restore the oam-config.xml file that was backed up before
this patch was applied.

Note:
If any configuration changes were performed after the patch was applied, these will
be lost with domainAutomationRollback.

When the script is successful, the following message is displayed:

*** Domain was successfully rolled back ***

Log files are generated in the path: $PATCH_TOP/19730928/files/oam/server/scripts

/opatch/logs.
Rolling back a bundle patch is described in the following steps.
To roll back a bundle patch on any system
1. Set environment variables for your deployment, as follows:
Linux: setenv DOMAIN_HOME=<domainhome>
where, for example, <domainhome> might be /Oracle/Middleware/user_projects/domains
/base_domain.
Windows: set DOMAIN_HOME=<domainhome>
where, for example, <domainhome> could be c:\Oracle\Middleware\user_projects\domains
\base_domain
2. Change to the directory containing this patch and run the automation script, as follows:
Linux:

a. cd $PATCH_TOP/19730928/files/oam/server/scripts/opatch
b. Add execute permission to the domainAutomationRollback.sh file:
chmod u+x domainAutomationRollback.sh

c. Run ./domainAutomationRollback.sh -i 19730928

Windows:
a. cd $PATCH_TOP/19730928/files/oam/server/scripts/opatch
b. Run domainAutomationRollback.bat -i 19730928
3. Run the following command to rollback the patch.
opatch rollback -id 19730928

4. Restart all OAM Servers, which will take up the new oam-config.xml.

Note:
After doing a rollback of the Access Manager patch in an integrated OAM-OIM
environment, restart all servers.

7 Known Issues
Table 6 identifies any known issues with this bundle patch release.

See Also:
Oracle Fusion Middleware Release Notes for known issues with the full-installer
release

Table 6 Known Issues in this Bundle Patch

Bundle Base
Patch
Bug
Number Number Description of the Problem

11.1.1.5.6 17539895 Custom plugins uploaded after applying any OAM Bundle Patch will not be available after a patch
Similarly, any changes done to the oam-config.xml file after applying OAM Bundle Patch are remo
rollback the patch.

Bundle Base
Patch
Bug
Number Number Description of the Problem

11.1.1.5.2 15909678 If a user attempts to login to OIM using OAM, the account is locked after too many attempts with
password (the obLoginTryCount LDAP attribute is plus one for every incorrect password login). U
redirected to Forgot Password process. At the end, it is expected to see a pop up that the passwo
reset and the user will be automatically logged in to OIM. Instead, the user is redirected back to
Password page to complete the process a second time.
Work Around
After completing the process a second time, the user will be automatically logged in.

11.1.1.5.2 13620606 Remote registration failed to run with Oracle Access Manager administrative user credentials. A s
occurred with following messages:
User does not belong to the group that is
authorized to perform registration.
Registration failed. Try again after
verifying the users group.

Work Around
From the Oracle Access Manager Console, find the user identity store that is designated as the Sy
the System Store configuration page, add the username that is granted authority to run remote r
Generally, this is the same userID that has access to log in to the Oracle Access Manager Console
For example, open the System Store registration page, within the Access System Administrators s
new administrative username (oamAdminUser, for example) in addition to the group (
which might already be present.
See Also: "Managing Administrator Roles" in the Oracle Fusion Middleware Administrator's Guide
Manager with Oracle Security Token Service.

11.1.1.5.2 13481036 Basic Authentication might not work properly with Oracle Access Manager 11.1.1.5.2. A popup fo
repeats, even after entering valid credentials, and the user cannot log in.

11.1.1.5.2 12992160 On the AIX Platform, Simple Security Mode is not functioning with OAM Server 11.1.1.5.2.
Work Around:
Install OAM Server and 10g Webgate on AIX platform and specify either Open or Cert Security M

11.1.1.5.1 12887343 Migrating Artifacts from an 11.1.1.5.0 Domain to an 11.1.1.5.1 Domain: Simple Mode Not Workin
After migrating artifacts from 11.1.1.5.0 to 11.1.1.5.1, the mode of oam_server1 is not changed
from Open mode. However, oam-config.xml from artifacts.zip.gz has the Simple mode value for o
During the upgrade from Oracle Access Manager 11.1.1.5 to 11.1.1.5.1, the OAM Server Security
set to Open mode. However, you must change the mode by modifying the IAMSuiteAgent registra
bundle patch installation. Otherwise, Administrators might not be able to log in to the upgraded O
Manager Console.
See Also: Step 5 in Section 6.3.
11.1.1.5.1 12769177 Windows 2008 64-bit System
You might encounter an issue with insufficient privileges to the Central Inventory:

OiiolLogger.addFileHandler:Error while adding

file handler C:\Program Files\Oracle\Inventory\logs\OPatch2011-07-18_06-

Bundle Base
Patch
Bug
Number Number Description of the Problem
java.io.FileNotFoundException: C:\Program Files\Oracle\Inventory\logs\OP
... (Access is denied)
Unable to lock Central Inventory.
OPatch will attempt to re-lock.
Do you want to proceed? [y|n]

Work Around
Run the appropriate Opatch command as an administrator to ensure the required permissions are
update the central inventory.

8 Fixes Included in This Cumulative Bundle Patch

This bundle patch provides specific fixes for core components on all platforms. The latest bundle
patch is cumulative and includes all fixes in all previous bundle patches for the specified product
release. Table 7 identifies the fixes in this bundle patch release.

Table 7 Details of Cumulative Bundle Patch 11.1.1.5.7

Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
11.1.1.5.7 18121326 Fix for bug 18121326
18184584 Fix for bug 18184584
18192808 Fix for bug 18192808

11.1.1.5.6 16389891 Resolved issue with basic authentication that does not re-prompt user for basic pop up if invalid
re-prompted for credentials until maximum retry limits are not exceeded.

11.1.1.5.6 16462477 Basic Authentication malfunctions when the ENFORCE-VALID-BASIC-AUTH-CREDENTIALS param

11.1.1.5.6 16971881 Performance issue in OAM Coherence cache characterized by stuck threads and ConcurrentModi
11.1.1.5.6 16615701 Redirect to PWDMGMT.JSPX is missing the host name when port 80 is used.
11.1.1.5.6 16569015 OAM SSO logout does not expire all WebGate 11g cookies for multiple host names.

11.1.1.5.6 16281463 Policy failure redirect when user omits password during Basic authentication credential collection
11.1.1.5.6 16817786 WLST importPolicyDelta command removes blank port/host identifier variations.
11.1.1.5.6 15962518 Error occurs while importing a custom plugin.
11.1.1.5.6 15863291 GSSEXCEPTION is not recorded when OAM WNA fails due to Kerberos error.
11.1.1.5.6 14733826 OAM fails to reconnect to LDAP if LDAP was started after OAM.
11.1.1.5.6 14563021 Unable to add policy to resource.

Bundle
Patch
Base Bug
Number Number Description of the Problem Solved

11.1.1.5.6 14138833 OAM_PROXY 11.1.1.3.0 Exception thrown while decrypting token - AuthID field not found in coo
11.1.1.5.6 14053429 Forms 11.1.2.0.0 unable to connect to OAM 11.1.1.5.0BP02.

11.1.1.5.6 13474531 Unable to enter resource URL with more than 256 characters.
This issue has been fixed but there is an upper limit of 1800 characters on the length of the UR
resource is created using a URL with more than 1800 characters, the operation will fail and exce
11.1.1.5.6 13012345 OAMRUNTIMEEXCEPT: Unable to access OAAM protected resource.

11.1.1.5.6 12541526 An issue that does not allow resources with invalid encoded characters. For example: resource /
11.1.1.5.6 14349888 Fix for 14349888.
11.1.1.5.6 12743709 Fix for 12743709.
11.1.1.5.6 16635205 Thread pool issues in the OAM and OIM Weblogic servers when accessing Coherence cache are
13993968

11.1.1.5.5 14400679 Resolves an issue that caused an Unbalanced Parenthesis error with a custom plug-in.
This is fixed.

11.1.1.5.5 14356645 Resolves an issue that was encountered when the user clicks Cancel during credential collection
This is fixed.

11.1.1.5.5 14331847 Resolves an issue where a DOS attack on the OAM Server would result in OutOfMemory Excepti
This is fixed.

11.1.1.5.4 14139424 Resolves an issue that occurred when registering a fresh OSSO partner with a desire to use the
migrated partners.
This is fixed. If the SiteName begins with migratedSSOPartners, the new partner is considered a

11.1.1.5.4 13982059 Resolves an issue that occurred when attempting to log in to the Oracle Access Manager Consol
The non-SSL port is turned off and when the Embedded LDAP is used for authentication, loggin
login page is presented repeatedly without accepting credentials.
This is fixed. You might need to update the startManagedWebLogic.sh file to point WebLog
establish SSL connections between AdminServer and OAM Servers:
JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore="<path_to_trust_store
export JAVA-OPTIONS
Modify the Admin URL value to point to the AdminServer's SSL port: ADMIN_URL="https://

11.1.1.5.4 13962108 Resolves an issue with Oracle Access Manager/Oracle Identity Federation environment. When us
OAMSSA-14003: Policy runtime failed.
Setting the request cache type to FORM was not working.
This is fixed and requires Oracle Identity Federation patch 13781779 to be installed.

Bundle
Patch
Base Bug
Number Number Description of the Problem Solved

11.1.1.5.4 13930141 Resolves an issue that occurred when the Access Client is initialized multiple times and performe
irrespective of changes made on the server side. This write operation was due to a configuration
This is fixed.

11.1.1.5.4 13859351 Resolves an issue with PasteConfig for application domains, which failed while importing policies
This is fixed.

11.1.1.5.4 13858201 Resolves an issue of attributes set with 11g ASDK (setSessionAttributes) were not available usin
This is fixed.

11.1.1.5.4 13780347 Resolves an issue that occurred when a browser sends an Authorization header that contains an
was unable to provide a Kerberos token during Windows Native Authentication, it might instead
does not support NTLM and incorrectly handled the error by sending the client into a redirect lo
This is fixed.

11.1.1.5.4 13774650 Resolves an issue that occurred with Internet Explorer browser. The Oracle Access Manager Log
submission of the form, the response renders in a new window instead of the modal window.
This is fixed.

11.1.1.5.4 13555542 Resolves an issue that occurred during authentication. The user entered the correct credentials,
Webgate entered into a loop.
This is fixed.

11.1.1.5.4 13554467 Resolves an issue that occurred when trying to activate a custom plug-in (in the Oracle Access M
activation failed.
If the machine has a physical IP address and a different virtual IP address, activation of custom
Server based on the host name set in the server's registration. If the query doesn't match, activ
This is fixed. A check now verifies the exception return is user disabled and returns an OAM-5 e

11.1.1.5.4 13356624 Resolves an issue that occurred when Oracle Internet Directory was down. Oracle Access Manag
This is fixed. p_error_code is correctly set when there is no contact with the identity store.

11.1.1.5.4 13090748 Resolves an issue that causes inconsistent behavior with Windows Native Authentication (WNA a
deployment. Authentication fails when a duplicate samAccountName was encountered.
This is fixed.
11.1.1.5.4 13086385 Resolves an issue that produced authentication failure in a trusted Active Directory forest when
This is fixed.

11.1.1.5.4 13078251 Resolves an issue that occurred when trying to extract PrincipalName attribute and X509 authen
being supported.
This is fixed. Added support for PrincipalName, which can now be extracted from the certificate.

11.1.1.5.4 12723591 Resolves an issue that occurred when the identity store is configured as the System Store with n
registration fails because the tool cannot validate the user's role as an administrator.
This is fixed. Even if the configuration does not contain any user, validation for a user belonging
registration is successful.

11.1.1.5.4 11867065 Resolves an issue that occurred when a user deletes the session used for the Oracle Access Man
This is fixed.

Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
11.1.1.5.3 13600589 Resolves an issue that occurred when load testing a multi-threaded OAM SDK application. With
logout, exceptions are raised.
Access Exception: java.lang.Exception: Failed to
communicate with any of configured Access Server,
ensure that it is up and running....
This is fixed.

11.1.1.5.3 13720022 Resolves an issue that caused the number of threads in a client application with the SDK to kee
This is fixed by adding thread cancel logic to the API.

11.1.1.5.3 13507344 Resolves an issue that occurred when an Authentication Scheme used a composite Authenticatio
with the correct module.
This is fixed.
11.1.1.5.3 13834510 Resolves an issue that caused integration between Oracle Access Manager and Oracle Adaptive
Authentication Scheme.
This is fixed.
11.1.1.5.3 13826271 Resolves a typo in oam-config.xml that prevented the OSSO Agent from working.
This is fixed by replacing ccheck_request_creds with check_request_creds.

11.1.1.5.3 13586109 Resolves an issue that caused a query string integrity check to fail during stress testing. The fol
<Error> <oracle.oam.proxy.oam> <BEA-000000>
<Query Validate Hash and generated validate hash do not match. ....
This is fixed.
Login successful without error.

11.1.1.5.3 13564299 Resolves an issue that prevented first-time users (created with the Identity Management Consol
Logging in with a new password worked if the user clicked the Forgot Password link on the login
Identity Management Console she was redirected to the Password Reset page to change and su
login page with the error:
An incorrect Username or Password was specified
This is fixed.

11.1.1.5.2 13482800 Resolves an issue that prevented the orchestrated plug-in execution sequence from resuming fr
This is fixed.
See Also: Bug 13368820 in this table.

11.1.1.5.3 13371595 Resolves an issue that prevented the uptake of the load balancing port by the OAM Server durin
This is fixed.

Bundle
Patch
Base Bug
Number Number Description of the Problem Solved

11.1.1.5.3 12812506 Resolves an issue that prevented global login and logout from working with various agent types
Manager 11.1.1.5.0.
This is fixed.
11.1.1.5.3 13587714 Resolves an issue that prevented multi-value attributes defined in LDAP from being returned by
11.1.1.5.1.
This is fixed.

11.1.1.5.3 13491476 Resolves an issue that prevented users from logging in with a new session by destroying existin
sessions allowed per user was set to 1, and if user logged in from a new brower without first log
limit reached error message was displayed.
This is fixed. Users can now log in with a new session by destroying existing session.

11.1.1.5.3 13485001 Resolves an issue that occurred using the Access SDK API to authenticate against a resource us
error was displayed
This is fixed.

11.1.1.5.3 13427676 Resolves an issue that occurred with the integration of Oracle Access Manager and Oracle Ident
an OAM-2 error message (incorrect Username or Password), when a user was disabled. The me
This is fixed. In this situation, Oracle Access Manager sends an OAM-5 error message. For more
Administrator's Guide for Oracle Access Manager with Oracle Security Token Service: Table 8-3 i
and recommended messages.

11.1.1.5.3 13372581 Resolves an issue that caused Windows Native Authentication to fail on AIX with the IBM JDK.
This is fixed. The keytabfile format that was documented does not work for IBM JDK. The manu
See Also: Bug 13521519 in Section 9, "Documentation Issues Resolved in This Bundle Patch"

11.1.1.5.3 13368316 Resolves an issue that occurred because the Content-Length and Content-Type headers were no
/obrareq.cgi?wh..." request when length of the message exceeded 1980 characters.
This is fixed. The Content-Length and Content-Type headers are now added to the POST respon

11.1.1.5.3 13025450 Resolves an issue with low file upload limits for custom plug-ins. The following message appear
uploading a custom plug-in JAR file:

Warning: The file upload failed. The file could not be uploaded because
This is fixed.

11.1.1.5.3 13019689 Resolves an issue that prevented Oracle Access Manager from asserting the requsted URL to an
This is fixed. Oracle Access Manager now asserts the requested resource as "resource_url" quer
11.1.1.5.3 13720048 See:
Oracle Access Manager Webgate Release Notes, described in Section 3.2, "Patch Set Notes and

11.1.1.5.2 13368820 Adds an authentication plug-in Pause state to support multi-factor authentication.
The Pause state enables an authentication plug-in to suspend execution and request additional
credentials are obtained, authentication resumes from the point at which it paused.
On successful execution of authentication plug-ins, based on the orchestration strategy, the use

Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
resource is granted.
See Also: Section 9, "Documentation Issues Resolved in This Bundle Patch" for updated plug-in

11.1.1.5.2 13395921 Resolves a Trusted Authentication Protocol (TAP) related issue that occurred when integrating O
Management.

11.1.1.5.2 13359259 Resolves an issue that caused cookie responses in the mod_osso partner authentication policy t

11.1.1.5.2 13257575 Resolved an issue that occurred when using a javascript-disabled browser. User logout did not r
This was fixed by removing some javascript reliance from the Oracle Access Manager logout pro
11g Agent logout URL callbacks are required, logging out terminates the user's session and redi

11.1.1.5.2 13254371 Resolves an issue that occurred when a user of a javascript-disabled browser failed to login. The
failure_url.
This was fixed by removing some reliance on javascript for browser redirects. Oracle Access Man
operation does not specify a requirement for javascript-POST redirect.

11.1.1.5.2 13097306 Resolves an issue in Oracle Access Manager and Oracle Identity Manager integration where disa
in Oracle Access Manager SSO login page.

11.1.1.5.2 13063981 Resolves an issue that occurred after upgrading from 10.1.2.3 OSSO. The problem prevented lo

11.1.1.5.2 13009705 Supports enhanced Trust Model using the Oracle Access Manager Identity Assertion Provider wit
This fix enables the IAP to determine which user to compare to the one specified in OAM_REMO

11.1.1.5.2 12991529 Resolves an issue that caused 10g Webgate to send a lengthy GET request instead of POST. You
Schemes "SwitchGetToPostLimit". Include a positive integer value to define the size of the
When data size exceeds this value, Oracle Access Manager performs a javascript POST-style red
This is fixed when you include the following challenge parameter in the authentication scheme:
Challenge Parameter: SwitchGetToPostLimit=100
11.1.1.5.2 12984774 Resolves an issue that caused user authentication failure because of blocked LDAP reads.

11.1.1.5.2 12963048 Resolves an issue that caused session-store throughput to drop significantly when the in-memor
11.1.1.5.2 12941428 Resolves an intermittent issue that caused login page to take a long time (up to 20 seconds) to

11.1.1.5.2 12936965 Resolves an issue where access to Web resources protected using "/.../" as a pattern are not pr

11.1.1.5.2 12932142 Resolves an issue that prevented custom plug-in activation and displayed a checksum validation
This is fixed by clicking the Refresh button after every operation. For example, Distribute, Refres

11.1.1.5.2 12916982 Resolves an issue that occurred when a hyphen character was used in URLs while editing mod-o
This fix enables Oracle Access Manager Console support of hyphen characters in URLs while edi

11.1.1.5.2 12910340 Resolves an issue that occurred when installing Oracle HTTP Server 11g on AIX in Simple (or Ce
This fix enables support for Cert Security Mode, which can be used instead of Simple mode.

11.1.1.5.2 12867612 Resolves an issue that prevented successful logout when two applications were opened in differ

11.1.1.5.2 12821366 Enhances the remote registration tool to enable policy response creation.
This is fixed in the CreatePolicyRequest.xml form in the /ORACLE_HOME/oam/server/rreg/client
The <successResponseList> element enables you to specify individual <successResponse> para
specific Response name, Response type (Cookie, Session, or Header), and Success Response va

Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
<name>MyResponse</name>
<type>Session</type>
<value>333</value>

11.1.1.5.2 12722672 Resolves an issue with locked account status with the Oracle Identity Management/Oracle Acces
With this fix, the proper account attribute will be updated on failed login attempts.

11.1.1.5.2 12716214 Resolves an issue with Simple Security Mode connection support on Solaris with the SunPKCS11
This is fixed for deployments with 10g NSAPI Webgate.

11.1.1.5.2 12704115 Resolves a Single Sign-on failure for URLs protected with an IIS Webgate 10g. An error page wa
This fix fetches the protocol, host, and port from the Agent registration when the received URL

11.1.1.5.2 12685834 Resolves rejection of a Redirect URL string that included a hyphen character in a Webgate regis
This fix now enables acceptance of a Redirect URL string that includes a hyphen character.

11.1.1.5.2 12578130 Resolves an issue that prevented using a hyphen character in OAM Server names within config.s
"Invalid name ..." error.
This fix enables you to edit config.sh to create an OAM Server with a name containing a hyphen
11.1.1.5.2 11687976 Adds an enhancement that allows the TCP timeout value to be configured.
11.1.1.5.2 9751627

Resolves Access Tester issue that allowed connecting to the OAM Server even after the timeout

11.1.1.5.2 112716214 Resolves an issue with Simple Security Mode connection support on Solaris with the SunPKCS11
10g NSAPI Webgate.

11.1.1.5.2 13467119 See Also:

13079512 Oracle Access Manager Webgate Release Notes Bundle Patch 11g described in Section 3.2, "Pat

11.1.1.5.1 12723434 Resolves an issue that occurred using Webgate 10g with OAM 11g. If a resource protected by th
contain URL encoded parameters, these characters are decoded.
This is fixed; encoded characters are not decoded.

11.1.1.5.1 12838976 Resolves an issue that prevented the LDAP plugin filter from identifying parameters based on re

1. Go to System Configuration, select Access Manager Settings, Authentication Modules, Cus

2. Modify the following parameters:
KEY_IDENTITY_STORE_REF Oracle Internet Directory
KEY_LDAP_FILTER uid={username}
3. Modify the LDAPScheme to point to LDAPPlugin.
4. Create an Application Domain to protect resources with LDAPScheme.
5. Access the protected resource, and pass the username and password.

The LDAP plugin filter now identifies parameters from the credential parameter map and reques

Bundle
Patch
Base Bug
Number Number Description of the Problem Solved

11.1.1.5.1 12690914 Resolves an issue where the 11g Webgate registration page did not work because of new Webg
10g and 11g Webgate: ipValidationExceptions and AllowManagementOperations
10g Webgate: managedServerUrl
This is fixed.

11.1.1.5.1 12747693 Resolves an issue that occurred when Oracle Access Manager 11g used Oracle Virtual Directory
stored in Oracle Internet Directory. In both cases, the OAM Server's JVM requires direct access t
successful, OAM searches the user repository for additional user attributes.
With Oracle Virtual Directory as the primary registry with Oracle Internet Directory as the backe

If a user is logged in to Active Directory domain and the user is present in OVD/OID, acce
If the user is not present in OVD/OID, access to OAM-protected resource is denied. The O
authentication is unsuccessful when the user is not present in OVD/OID.

Note: When the user is not present in OVD/OID, the previous Oracle Access Manager release (1
even though access to the protected resource is denied.
This is fixed in this release.
11.1.1.5.1 12690463 Resolves an issue that prevented Oracle Identity Federation schema policy object modifications
the Oracle Identity Federation scheme was updated; everything else remained the same.
This is fixed.
11.1.1.5.1 12688879 Login performance improvements have been made available with this release.

11.1.1.5.1 12646546 Resolves an issue with OSSO 'Paranoid' mode where OSSO-COOKIE_TIMESTAMP cookie set by O
timestamp.
This is fixed in this release.
11.1.1.5.1 12641759 Resolves an issue that caused the OSSO Agent (and other partners) to migrate improperly.
This is fixed.

11.1.1.5.1 12631787 Resolves impersonation consent failure with an Oracle Adaptive Access Manager-protected resou
This is fixed in this release.

11.1.1.5.1 12631721 Resolves an issue with the NAP library, which might not process long messages (greater than 3K
latency for instance).
This is fixed in this release; the library can now handle long messages. Although, using Access T
Tester to display a partial message but does not impact normal behavior of the tool.
11.1.1.5.1 12601409 Resolves editorial issues with migration utility strings.
This is fixed. When running the migration utility, strings displayed in the console are correct.

11.1.1.5.1 12591938 Resolves issues in a high-availability installation with managed servers on different servers. The
the Oracle Access Manager Console.
This is fixed.

11.1.1.5.1 12588136 Resolves issues accessing protected resources with query strings within an Oracle Identity Mana
environment.

Bundle
Patch
Base Bug
Number Number Description of the Problem Solved

11.1.1.5.1 12576767 Resolves an issue that occurred after enabling OSTS and performing configuration updates. The
error:
java.util.Date cannot be cast to java.lang.String
This is fixed.

11.1.1.5.1 12573315 Resolves an issue where the requested URL was not captured and forwarded to the Success UR
This is fixed.

11.1.1.5.1 12551922 Resolves an issue where the registerThirdPartyTAPPartner did not work if the tapRedirectUrl was
TAP represents Trusted Authentication Protocol.
This is fixed.

11.1.1.5.1 12545547 Resolves an integrated environment issue with Oracle Identity Manager, Oracle Access Manager,
when logging in to Oracle Identity Manager through Oracle Access Manager, and Oracle Adaptiv
This is fixed.

11.1.1.5.1 12538294 Resolves an integrated environment issue with Oracle Identity Manager, Oracle Access Manager,
when the user's uid is different from the cn, because the TAP scheme (Trusted Authentication P
Attribute for the identity store.
This is fixed. The fix makes the attribute used by the TAP scheme configurable: for example, the
Attribute as the uid.

11.1.1.5.1 12529649 Resolves impersonation failure that occurred if the end impersonation URL is set as http://<
/impersonate/end?userid=<impersontee>&end_url="<xyz>". Server expected a success_url an
This is fixed.

11.1.1.5.1 12434387 Resolves an issue with the Help link in the Oracle Access Manager Console, which displayed help
This is fixed. New Help is provided for this release.
11.1.1.5.1 12433297 Resolves an issue with the second encryption password validation prompt following migration.
This is fixed.
11.1.1.5.1 12433283 Resolves an issue with migration utility logging.
This is fixed. Logs are generated with all information included.
11.1.1.5.1 12433268 Resolves an issue that prevented success or failure messages from displaying after running the
This is fixed.

11.1.1.5.1 12427438 Resolves an incorrect message code. When the user account is locked because the user exceed
MaxRetryLimit parameter in oam-config.xml), Oracle Access Manager returned the OAM-2 code
user account is locked or disabled).
This is fixed.

11.1.1.5.1 12424541 Resolves an impersonation failure.

This is fixed. Impersonation grants are configured for the impersonatee user (User being impers
attribute in Oracle Internet Directory.

11.1.1.5.1 12424280 Added capability to OAM Server to generate JKS keystores that can be used for PJASDK in SIMP
Keystores generated:

Bundle
Patch
Base Bug
Number Number Description of the Problem Solved
oamclient-truststore.jks (Keystore with OAM CA)
oamclient-keystore.jks (keystore with private key and signed certificate)

The keystores are generated under $Domain Home/output/webgate-ssl. The password to these
To generate the keystores, you must update the global passphrase from Oracle Access Manager
passphrase, use the WLST command displaySimpleModeGlobalPassphrase()

11.1.1.5.1 12423833 Resolves an integrated environment issue with Oracle Identity Manager, Oracle Access Manager,
settings were not migrated.
This is fixed.

11.1.1.5.1 12420940 Resolves an OSSO upgrade issue. The HTTP protocol was not obtained from oam-config.xml dur
This is fixed. The upgraded mod_osso partner has a valid SSL URL.
11.1.1.5.1 12416670 Resolves a failure during a transition from test to production (source to target environment) on
This is fixed.

11.1.1.5.1 12413677 Resolves an issue in the IAMSuite Application domain. A blank search of resources could take m
This fix reduces the search return time to seconds.

11.1.1.5.1 12401705 Resolves remote registration tool (oamreg) failure related to a hard-coded value for OAM_REG_
This is fixed and the tool can replace OAM_REG_HOME with your entire path.

11.1.1.5.1 12396357 Reduces the amount of log records generated by OAM server in a successful resource access (w
11.1.1.5.1 12390907 Resolves a issue during migration where identity store settings were not properly migrated.
This is fixed.
11.1.1.5.1 11902502 Resolved an issue that occurred when the password expired. This is fixed in this release.
See Also: "Details of Fix for Bug 11902502".

11.1.1.5.1 10094601 Resolves a issue that caused Server start up failure when the AdminServer is configured for Virt
server. "Server not authorized" messages were logged as the cause.
This is fixed.

11.1.1.5.1 12548635 See: The Oracle Access Manager Webgate Release Notes Bundle Patch 11g (11.1.1.5.1) Linux,
12400853 Operating Systems for issues resolved for Webgates delivered with Oracle Access Manager Bund

Details of Fix for Bug 11902502

When a password expired, the error code returned to the custom login page by the OAM Server was
the same error code returned for invalid credentials. Error code OAM-10 has been added for this type
of failure.
Bundle patch 11.1.1.5.1 adds error code OAM-10 to security modes that determine the nature of
error messages returned by the OAM Server when an operation fails. Choose one of the following
settings to configure error messages with varying degrees of security for your custom login pages:
SECURE: Most secure.

EXTERNAL: Recommended level.

INTERNAL: Least secure level.
OSSO10g: Compatible with OSSO 10g.
Table 8 identifies the new error code, trigger conditions, and recommended message.

Table 8 Added External Error Codes, Trigger Conditions, and Recommended Messages
External Error
Code

Trigger Condition

Recommended Display Message

OAM-10

Password expired.

The password has expired.

9 Documentation Issues Resolved in This Bundle Patch

Table 9 lists the documentation issues that have been identified in manuals describing Oracle Access
Manager 11g Release 1 (11.1.1). These books will be updated during the next release of the
product.

Table 9 11g Release 1 (11.1.1) Documentation Issues Resolved

Bug

Description

10394298 The Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token S
note that the Open Common Properties item on the Actions menu is disabled. An exception occurs when you
first time.
The item in Table 3-6 System Configuration, Actions Menu, Command Descriptions should read as follows:
Open Common Properties
Disabled in this release. Replaced by Common Settings in the Common Configuration section of the System

13090141 The Oracle Fusion Middleware Third-Party Application Server Guide section "Configuring SSO Logout for OAM
WebSphere" states that LTPAToken cookies need to be deleted by client javascript in logout.html and gives t
javascript function delOblixCookie().
Correction: A note will be added as follows.
Note: If the cookie property "httponly" is set to "true" by users for security considerations, javascript cannot
cookies and SSO logout will not work.

13521519 The Oracle Fusion Middleware Integration Guide for Oracle Access Manager section "Set Up the Kerberos Au
Module..." (under "Configuring Oracle Access Manager for WNA") specified the wrong format for IBM JDK.
Correction: A note will be added as follows.
Note: The format specified in steps detailing changes in oam-config.xml does not work with the IBM JDK. Fo
keytabfile entry should use the following format

<Setting Name="keytabfile" Type="xsd:string">file:///refresh/oam111a/home/oam.ke

Bug

Description

12774777 The Oracle Fusion Middleware Integration Guide for Oracle Access Manager chapter "Configuring Oracle Acc
WNA" incorrectly mentions oam-policy.xml file.
Correction: oam-config.xml

13323608 The topic "Deleting an OSSO Agent (mod_osso) Registration", in the Oracle Fusion Middleware Administrato
Access Manager with Oracle Security Token Service has been updated to include the following information.
Note: Deleting an agent registration removes only the registration (not the associated host identifier, applica
resources, or the agent instance itself), which prevents registering the same agent again if required. Howev
Application Domain and its content removes all referenced objects including the Agent registration.
The topic "Deleting an Application Domain and Its Content" now includes the following information:
Deleting the Application Domain and its content removes all referenced objects, including the Agent registra
method, if you later need to re-register the same Agent, you can because there are no remaining references
Application Domain and its content.

13552000 Table 13-9, Namespace Request Variables for Single Sign-On, in the Oracle Fusion Middleware Administrator
Access Manager with Oracle Security Token Service incorrectly states res_policy as one of the variables asso
Namespace that should be returned.
In the next version of the book, policy_name will replace res_policy as the correct Namespace request varia
Sign-On.
n/a

Plugin naming guidelines and the following task overview are missing from the Oracle Fusion Middleware De
Oracle Access Manager and Oracle Security Token Service topic "About Creating Custom Authentication Mod
See Also: "Adding Custom Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Access Ma
Security Token Service.
Custom Plug-in Naming Guidelines
When you regenerate the custom authentication module, consider the following naming requirements:
The new plug-in name must be included in the xml file and the manifest.
A period ( . ) is not a valid character in the plugin name.
To modify an existing authentication plug-in used in an authentication step or module

1. Regenerate the plug-in with a different name that includes a version identifier based on plug-in namin
example: <plugin_name>_v1.jar.
2. Log in to the Oracle Access Manager Console, as usual.
3. From the System Configuration tab, Common Configuration section, click Plugins; from the Actions me
4. Perform the following steps:
Import new plug-in <plugin_name>_v1.jar.
Distribute the new plug-in <plugin_name>_v1.jar.
Activate the new plug-in <plugin_name>_v1.jar.
5. Expand the Plugin Details section, click Configuration Parameters, and enter appropriate information a
In the new <plugin_name>_v1, create steps similar to those in the old plug-in and orchestrate
needed.
Edit custom authentication modules that used the older plug-in <plugin_name> to ensure that
<plugin_name>_v1.
6. Optional: Deactivate and remove the original plug-in JAR file from your deployment.

10 Components Included with this Bundle Patch

The certification release level included in this bundle patch=None. This bundle patch is released
against initial full-installer Webgate packages.
Compatible OAM Servers: 11.1.1.5

See Also:
Oracle Access Manager Webgate Release Notes Bundle Patch 11g (11.1.1.5.5)
Linux, Solaris SPARC, Solaris X64, Windows, HP-Itanium, AIX, and HP PA-RISC
Operating Systems

Note:
To remain in an Oracle-supported state, Oracle recommends that you apply the
bundle patch to all installed components for which packages are provided.

Oracle Access Manager Release Notes for Bundle Patch 11.1.1.5.7 Generic
Copyright 2000, 2014 Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws. Except as
expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce,
translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any
part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this
software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be
error-free. If you find any errors, please report them to us in writing.
If this software or related documentation is delivered to the U.S. Government or anyone licensing it
on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and
technical data delivered to U.S. Government customers are "commercial computer software" or
"commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agencyspecific supplemental regulations. As such, the use, duplication, disclosure, modification, and
adaptation shall be subject to the restrictions and license terms set forth in the applicable
Government contract, and, to the extent applicable by the terms of the Government contract, the
additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December

2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
This software is developed for general use in a variety of information management applications. It is
not developed or intended for use in any inherently dangerous applications, including applications
which may create a risk of personal injury. If you use this software in dangerous applications, then
you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to
ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any
damages caused by use of this software in dangerous applications.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be
trademarks of their respective owners.
This software and documentation may provide access to or information on content, products, and
services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly
disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle
Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to
your access to or use of third-party content, products, or services.