You are on page 1of 12

Oracle Access Management Release Notes Bundle Patch

2 Generic for All Server Platforms

Oracle Access Management

Release Notes Bundle Patch Generic for All Server Platforms January 2014 This document describes the bug fixes that are included with Bundle Patch This Bundle Patch requires a base installation of Oracle Access Management 11g Release 2 ( This document supersedes the documentation that accompanies Oracle Access Management 11g Release 2 (, and earlier documents if any. This document contains the following sections: Section 1, "Understanding Bundle Patches" Section 2, "Bundle Patch Requirements" Section 3, "Applying the Bundle Patch" Section 4, "Removing the Bundle Patch" Section 5, "Resolved Issues" Section 6, "Known Issues and Workarounds" Section 7, "Related Documentation" Section 8, "Documentation Accessibility"

1 Understanding Bundle Patches

This section describes Bundle Patches and explains differences between Bundle Patches, patch set exceptions (also known as one-offs), and patch sets. Bundle Patches A Bundle Patch is an official Oracle patch for Oracle Access Management components on baseline platforms. In a Bundle Patch release string, the fifth digit indicates the Bundle Patch number. For example, Release is the second Bundle Patch for Release Bundle Patch Number: Each Bundle Patch includes the libraries and files that have been rebuilt to implement one or more fixes. All of the fixes in the Bundle Patch have been tested and are certified to work with one another. Regression testing has also been performed to ensure backward compatibility with all Oracle Access Management components in the Bundle Patch, and earlier Webgates. Each Bundle Patch is cumulative: the latest Bundle Patch includes all fixes in earlier Bundle Patches for the same release and platform. Fixes delivered in Bundle Patches are rolled into the next release. Oracle Access Management Bundle Patch provides: Generic packages for 11.1.2 OAM Server platforms Bundle Patch releases are distributed in individual platform-specific bundles (zip files) on My Oracle Support:

Bundle Patch package names include the component name (Oracle Access Management):

BaseRelease: The required component release base for this package: 11.1.2 BPnn: The short name for a specific Bundle Patch package (BP01, for example). component: A specific OAM Server or agent package.
Table 1 lists sample package names for Oracle Access Management Bundle Patches.

Table 1 Sample Bundle Patch Package Names

Bundle Patch Convention Example Example

See Also: Section 2, "Bundle Patch Requirements"

Patch Sets A patch set is a mechanism for delivering fully tested and integrated product fixes that can be applied to installed components of the same release. Patch sets include all of the fixes available in previous Bundle Patches for the release. A patch set can also include new functionality. Each patch set includes the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). However, a patch set might not be a complete software distribution and might not include packages for every component on every platform. All of the fixes in the patch set have been tested and are certified to work with one another on the specified platforms.

2 Bundle Patch Requirements

To remain in an Oracle-supported state, apply the Bundle Patch to all installed components for which packages are provided. Oracle recommends that you: Apply the latest Bundle Patch to all installed components in the bundle. Do not attempt to install an 11.1.2 Bundle Patch in an 11.1.1 environment. Keep OAM Server components at the same (or higher) Bundle Patch level as installed Webgates of the same release. OAM Server operates with Webgate, 11g Release 1 (11.1.1) Webgates, and 10g Webgates.

3 Applying the Bundle Patch

This section contains the following topics to guide you as you prepare and install the Bundle Patch files (or as you remove a Bundle Patch should you need to revert to your original installation): Section 3.1, "Using the Oracle Patch Mechanism (Opatch)" Section 3.2, "Applying the OAM Bundle Patch" Section 3.3, "Recovering From a Failed Bundle Patch Application"

Note: Oracle recommends that you always install the latest Bundle Patch.

3.1 Using the Oracle Patch Mechanism (Opatch)

This section introduces the Oracle patch mechanism (Opatch), which is a Java-based utility that runs on all supported operating systems. Opatch requires installation of the Oracle Universal Installer.

Note: Oracle recommends that you have the latest version of Opatch (version or higher) from My Oracle Support. Opatch requires access to a valid Oracle Universal Installer (OUI) Inventory to apply patches.

The patching process uses both unzip and Opatch executables. After sourcing the ORACLE_HOME environment, Oracle recommends that you confirm that both of these exist before patching. When Opatch starts, it validates the patch to ensure there are no conflicts with the software already installed in your $ORACLE_HOME: If you find conflicts with a patch already applied to the $ORACLE_HOME, stop the patch installation and contact Oracle Support Services. If you find conflicts with a subset patch already applied to the $ORACLE_HOME, continue Bundle Patch application. The subset patch is automatically rolled back before installation of the new patch begins. The latest Bundle Patch contains all fixes from the previous Bundle Patch in $ORACLE_HOME. This Bundle Patch is not -auto flag enabled. Without the -auto flag, no servers need to be running. The Machine Name & Listen Address can be blank on a default install.

See Also:

Oracle Universal Installer and OPatch User's Guide at

Perform steps in following procedure to prepare your environment and download Opatch. To download Opatch version or higher 1. Log in to My Oracle Support:

2. Review the Note 224346.1: Opatch - Where Can I Find the Latest Version of Opatch? and, in the document, click the Patch 6880880 link which takes you to the screen where you can obtain the latest version of OPatch based on release versions and platforms. 3. Review Note 1051266.1: How To Install a WebCenter 11g Patch? 4. Use opatch -help to learn if your version of Opatch is earlier than; if so, download the latest 11.1.x version.

Note: Do not download Opatch 11.2.

5. Confirm the required executables are in your system PATH, and add these if needed:
which opatch which unzip

6. Verify the OUI Inventory using the following command:

opatch lsinventory

Windows 64-bit: opatch lsinventory -jdk c:\jdk160 If an error occurs, contact Oracle Support to validate and verify the inventory setup before proceeding. If the ORACLE_HOME does not appear, it might be missing from the Central Inventory, or the Central Inventory itself could be missing or corrupted. 7. Review information in the next topic: "Applying the OAM Bundle Patch".

3.2 Applying the OAM Bundle Patch

Use information and steps here to apply the Bundle Patch from any platform using Oracle patch (Opatch). While individual command syntax might differ depending on your platform, the overall procedure is platform agnostic. The files in each Bundle Patch are installed into the destination $ORACLE_HOME. This enables you to remove (roll back) the Bundle Patch even if you have deleted the original Bundle Patch files from the temporary directory you created.

Note: Oracle recommends that you back up the $ORACLE_HOME using your preferred method before any patch operation. You can use any method (zip, cp -r, tar, and cpio) to compress the $ORACLE_HOME.

Formatting constraints in this document might force some sample text lines to wrap around. These line wraps should be ignored. To apply the OAM Bundle Patch 1. Change to the directory containing the Oracle Access Management patch: 17417554. 2. Log in as the same user who installed the base product and: a. Stop the AdminServer and all OAM Servers to which you will apply this Bundle Patch. Any application that uses this OAM Server and any OAM-protected servers will not be accessible during this period. b. Back up your $ORACLE_HOME: MW_HOME/Oracle_IDM. c. Move the backup directory to another location and record this so you can locate it later, if needed. 3. Run the appropriate Opatch command as an administrator to ensure the required permissions are granted to update the central inventory and apply the patch to your $ORACLE_HOME. For example:
opatch apply

Windows 64-bit: opatch apply -jdk c:\path\to\jdk160

Note: Opatch operates on one instance at a time. If you have multiple instances, you must repeat these steps for each instance.

4. Restart all Servers. 5. Multiple Instances: Repeat Steps 1-4 to apply the Bundle Patch to each instance throughout your installation.

3.3 Recovering From a Failed Bundle Patch Application

If the AdminServer does not start successfully, the Bundle Patch application has failed. To recover from a failed Bundle Patch application

1. Confirm that there are no configuration issues with your patch application. 2. Confirm that you can start the AdminServer successfully. 3. Shut down the AdminServer and roll back the patch as described in Section 4, "Removing the Bundle Patch", then perform patch application again.

4 Removing the Bundle Patch

If you must remove a Bundle Patch after it has been applied, perform the following steps. While individual command syntax might differ depending on your platform, the overall procedure is the same. After the Bundle Patch is removed, the system is restored to the state it was in immediately before patching.

Note: Removing a Bundle Patch overrides any manual configuration changes that were made after applying the Bundle Patch. These changes must be re-applied manually after removing the patch.

To remove a Bundle Patch on any system 1. Perform steps in Section 3.2, "Applying the OAM Bundle Patch" to set environment variables, verify the inventory, and shut down any services running from the ORACLE_HOME or host machine. 2. Change to the directory where the patch was unzipped. For example:
cd PATCH_TOP/17417554

3. Back up the $ORACLE_HOME directory that includes the Bundle Patch and move the backup to another location so you can locate it later. 4. Run Opatch to roll back the patch. For example:
opatch rollback -id 17417554

5. Restart servers (AdminServer and all OAM Servers) as needed based on the mode you are using. 6. Re-apply the Bundle Patch, if needed, as described in Section 3, "Applying the Bundle Patch".

5 Resolved Issues
This Bundle Patch provides fixes described in following topics: Section 5.1, "Access Manager Issues Resolved in 11g Release 2 (" Section 5.2, "Security Token Service Issues Resolved in 11g Release 2 (" Section 5.3, "Identity Federation Issues Resolved in 11g Release 2 (" Section 5.4, "Mobile & Social Issues Resolved in 11g Release 2 (" Section 5.5, "Access SDK Issues Resolved in 11g Release 2 ("

5.1 Access Manager Issues Resolved in 11g Release 2 (

This Bundle Patch provides the fixes for Access Manager in Table 2.

Table 2 Access Manager Issues Resolved Bundle Patch

Base Bug Description of the Problem

Number 17210405 17202334 17182118 17007489 16992233 16971881 16945288 16922465 16745287 16738949 16738914 The Application Domain page in the Access Manager console is very slow as is importing policies using the importpolicydelta WLSTcommand. FEDSTS-13013 error will not be seen after applying R2 PS1 BP02 patch. The authentication success redirect URL is now URL encoded. In OAM-OIM integration, Access Manager does not redirect the user to the lockout page when the user enters the correct credentials and is locked out through OIM. New responses have been added under the '$request' namespace. They are policy_eval_success_conditions and policy_eval_failure_conditions. Stuck thread and ConcurrentModificationExceptions in session management fixed. Fixed an issue in T2P which resulted in a ClassCastException at runtime while redirecting to OIM URLs. Fixed an issue in which the Access Manager server under stress may report stuck threads around the diagnostics layer in controller. The OpenSSO cookie domain (iplanetDirectoryPro) can now be configured using the WLST command setOpenssoProxyCookieDomain. Migration of OAM 10g LDAP Rules was failing if there is any operator in the filter (for example, &). The portion of the URL after the operator was completely lost but this has been fixed. The order in which policies in OAM 10g stores are to be evaluated is set in an LDAP attribute called obevalorder. If there is a high number of policies, the value for this attributeg is split into multiple values. If migration is performed against such data, it will fail to migrate and throw an error. This issue has been fixed. Resolved a bug that limited the length of user constraint authorization rules to 255 bytes or less. For basic authentication, when invalid credentials are submitted, the browser will not prompt again. Rather, the invalid credentials were passed to OAM resulting in OAM displaying a "user account locked" message. With the BP fix, the browser will reprompt the user for credentials until the number defined as the value of max retry attempts is reached. When a user omits the password during Basic Authentication credential collection, the user is redirected as if the policy failed. This has been fixed. After the application of patch 14760839, the error message "DAP Token not received" is no longer reported in the logfile at regular intervals. Fixes an issue with the Access Manager Server on Windows which resulted in "An existing connection was forcibly closed by the remote host" exception. Resolves an issue in which virtual hosting configurations were throwing an OAM-04020 exception when no suitable host identifier is defined. Fixed an issue that occured when creating authorization policies using the REST API; the attribute condition was not created even if one is provided. Added logging of username or userdn in all remaining relevent events logging. The fix for this bug also includes fixes for the following: 16951380 16834457 17027096 16756477 17083362 16998122 17214771 16513008 16615701 A NoClassDefFoundError is thrown when using the IDMConfigTool with -configOAM due to location of OAMManagementMXBeanImpl. After installing OAM BP05, redirects to PWDMGMT.JSPX are missing the host name when port 80 is used OAM application performance issue OAM console is very slow App Domain 'Resources' search poor performance issue AdminServer for console takes too long to start up. OAM console is unresponsive OAM console is very slow in READ/WRITE operations Optimization for policy search API

16544090 16389891

16281463 16279474 16239084 15998233 14626316 13866271 17210405


Migration from 10g does not support SSL connections to user data stores. (Policy and configuration LDAP URLs should start with ldaps if they are SSL enabled.) Add the following four properties to the migration properties file if directory servers are configured in SSL mode. (The name and path to the migration properties file is user-defined.) ## This property indicates the path to the trust store file, a ## collective store for CA certs for all directory servers (policy store, ## config store, identity store) ldap_trust_store=<path of trust-store file in jks format> ldap_trust_store_password=<plain text password of trust store file> ## Two properties required if client authentication at directory server ## is enabled. This file contains the client certificates. client_keystore=<path of ketstore file in jks format> client_keystore_password=<plain text password of keystore file> If the ldap_trust_store_password and client_keystore_password proeprties are left empty, the WLST prompts for these passwords after the migration utility is run. Add option for case insensitive policy resource matching. For this to work, add the following parameter to the "properties" setting under PolicyService in the oam-config.xml file. <Setting Name="UseCaseInsensitiveResourceMatch" Type="xsd:boolean">true</Setting> 1. Create a WLST script with the following content. For this write-up, the script is called File: #!/usr/bin/python import os, sys oamConfigObjectName = "oracle.oam:type=Config" from java.lang import System from java.lang import Integer from import BooleanSettings from import CompositeData domainRuntime() value=True path = "DeployedComponent/Server/NGAMServer/Profile/PolicyService/ OAMPolicyProvider/properties" key = "UseCaseInsensitiveResourceMatch" on = ObjectName(oamConfigObjectName) path = ipath + '/' + ikey isValidPath(path) signatureAdd = ["java.lang.Boolean"] ls = IntegerSettings(ikey,ivalue) cd = ls.toCompositeData(IntegerSettings.toCompositeType()) newParams = [path, cd] signature = ["java.lang.String"," CompositeData"] try: mbs.invoke(on, "applyBooleanProperty", newParams, signature) except Exception,e: print "setBoolean for " + path + " failed." print e.getLocalizedMessage() exit() 2. Log in to the AdminServer using under <IDM_HOME>/common/bin. 3. Execute the created WLST script to update the file as follows. execfile('<file-path>/') 4. Restart the managed server.



If applying this patch for bug# 16502724 (OAM returns NOT_FOUND header for empty valued attributes), please note that the behavior change (not returning empty responses) is triggered by the OAM 10g migration process. So first apply the patch and then run the OAM 10g migration tool. Post migration, manually edit $DOMAIN_HOME\config\fmwconfig \oam-config.xml as follows.

1. Stop all WebLogic Servers. 2. Add the following <SettingName> entry under the /DeployedComponent/Server/NGAMServer/Profile /PolicyService/ path. <Setting Name="IgnoreEmptyResponses" Type="xsd:boolean">true</Setting> For example: <Setting Name="PolicyService" Type="htf:map"> <Setting Name="IgnoreEmptyResponses" Type="xsd:boolean">true</Setting> <Setting Name="OAMPolicyProvider" Type="htf:map"> <Setting Name="name" Type="xsd:string">OESPolicyProvider</Setting> 3. Increment the "Version" by 1 in oam-config.xml. For example, if the Version is 37 as follows, update the number to 38. <Setting Name="Version" Type="xsd:integer">37</Setting> 16415274 16407516 Sending multivalued attribute values with colon delimited format is standard feature available in OAM 10g but not in OAM 11gR2. If an authorization response of type header is configured to use the session information set via the session response, the header variable shows the value "NOT_FOUND" for the first access after authentication. Subsequent access of the protected resource shows that the header variable is set correctly. oamMigrate() fails when generating a migration report from OAM 10g to OAM 11gR2 OAM fails to reconnect to LDAP directory if it was started after OAM was started Basic Authentication or WNA Fallback are not prompting for a second login Query strings with special character % fail Fix for Bug 16530251

16401361 14733826 14711531 12541526 16530251

5.2 Security Token Service Issues Resolved in 11g Release 2 (

This Bundle Patch provides the fixes for Access Manager Security Token Service in Table 3.

Table 3 Security Token Service Issues Resolved 11g Release 2 (

Bug N/A Description N/A

5.3 Identity Federation Issues Resolved in 11g Release 2 (

This Bundle Patch provides the fixes for Access Manager Identity Federation in Table 4.

Table 4 Identity Federation Issues Resolved 11g Release 2 (

Bug N/A Description N/A

5.4 Mobile & Social Issues Resolved in 11g Release 2 (

This Bundle Patch provides the fixes for Access Manager Mobile & Social in Table 5.

Table 5 Mobile& Social Issues Resolved 11g Release 2 (

Bug Description

Bug 16529708

Description Mobile & Social SDK: SSO Agent sample application does not work when a load balancer is fronting the Access Services

5.5 Access SDK Issues Resolved in 11g Release 2 (

This Bundle Patch provides the fixes for Access Manager Developer's Kit (SDK) in Table 6.

Table 6 Access SDK Issues Resolved 11g Release 2 (

Bug 16179255 Description Significant issues arise from a variety of function calls from the Access SDK.

6 Known Issues and Workarounds

Table 7 identifies any known issues with this Bundle Patch release.

See Also: Oracle Fusion Middleware Release Notes for known issues with the full-installer release

Table 7 Known Issues and Workarounds

Bundle Patch Number Base Bug Number 17157673 Description of the Problem Oracle Access Manager supports language selection with a drop down list on its Administration Console login page. If a language is selected and the Login button is clicked without having entered user name and password, an error message should be displayed in the selected language. Currently, a generic system error is displayed in English.

7 Related Documentation
This section describes the documentation that is available to support the latest Bundle Patch and the original release. This section provides the following topics: Section 7.1, "Oracle Access Management Manuals and Release Notes" Section 7.2, "Bundle Patch Release Notes" Section 7.3, "Certification Documentation"

7.1 Oracle Access Management Manuals and Release Notes

Use the following procedure to find the latest product documentation and Release Notes on Oracle Technology Network (OTN). 1. Go to Oracle Technology Network (OTN) at:

2. Register for a user name and password, if needed. 3. Under Fusion Middleware, click Identity Management. 4. Under Oracle Identity Management 11g documentation, click the desired library:

Oracle Fusion Middleware 11gR2 Release ( 5. Choose the desired book; Oracle Access Management 11g is documented in the following manuals:

Oracle Access Management 11g Release 2 ( Release Notes

Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Oracle Fusion Middleware Administrator's Guide for Oracle Access Management Oracle Fusion Middleware Developer's Guide for Oracle Access Management Oracle Fusion Middleware Upgrade Guide for Java EE Oracle Fusion Middleware Update, Upgrade, and Migration Guide for Oracle Identity and Access Management Oracle Fusion Middleware Performance and Tuning Guide Oracle Fusion Middleware Administrator's Guide Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management Oracle Fusion Middleware High Availability Guide Oracle Fusion Middleware WebLogic Scripting Tool Command Reference Oracle Fusion Middleware Security and Administrator's Guide for Web Services

7.2 Bundle Patch Release Notes

Release notes are available with each Bundle Patch from My Oracle Support at:

This document, Oracle Access Management Release Notes, Bundle Patch Generic for All Server Platforms, provides the following information for this specific Bundle Patch release: General information about Bundle Patches General Bundle Patch requirements and installation details Details about what is included in this Bundle Patch This Oracle Access Management Release Notes, Bundle Patch Generic for All Server Platforms file is available in HTML format (readme.htm), which you can view without downloading the zip file.

7.3 Certification Documentation

Table 8 provides the sites where you can find certified support information and installation packages.

Table 8 OAM Certification Documentation, Installers, and Readme

To find the ... Certification Matrix

Go to ..

Oracle Fusion Middleware Requirements Oracle Fusion Middleware

To find the ... Downloads

Go to .. Oracle Identity and Access Management ( Downloads Additional (non OHS11g) Webgates See the Oracle Identity Management 10g downloads page, Oracle Access Manager 10g - non OHS11g Webgates and 3rd Party Integrations section.

8 Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at Access to Oracle Support Oracle customers have access to electronic support through My Oracle Support. For information, visit /pls/topic/lookup?ctx=acc&id=info or visit if you are hearing impaired. Accessibility of Code Examples in Documentation Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace. Accessibility of Links to External Web Sites in Documentation This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites. Deaf/Hard of Hearing Access to Oracle Support Services To reach Oracle Support Services, use a telecommunications relay service (TRS) to call Oracle Support at 1.800.223.1711. An Oracle Support Services engineer will handle technical issues and provide customer support according to the Oracle service request process. Information about TRS is available at, and a list of phone numbers is available at Oracle Access Management Release Notes, Bundle Patch Generic for All Server Platforms Copyright 2000, 2013 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate failsafe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.