Oracle® Identity Management Guide to Delegated Administration
10g Release 2 (10.1.2) B14086-02 |
|
Previous |
Next |
This appendix describes common problems that you might encounter when using Oracle Delegated Administration Services and explains how to solve them. It contains these topics:
Note: You can also use Web browser diagnostics to identify basic problems with your Oracle Delegated Administration Services deployment, including whether the IP address and host name are valid or if a firewall is properly forwarding requests and responses. For more information, see the documentation for the Web browsers you plan to support in your Oracle Delegated Administration Services deployment. |
If you encounter problems when deploying or running Oracle Delegated Administration Services, you should first examine the various log files that are generated by Oracle Delegated Administration Services and the various components that it requires. This section contains the following topics:
Oracle Delegated Administration Services logs most errors in the following log file:
$ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1
This is the file you should check first when troubleshooting problems with Oracle Delegated Administration Services. Debugging must be enabled before Oracle Delegated Administration Services writes any information to the log file. To enable debugging, follow the instructions in "Enabling Debugging".
See Also: "Managing Diagnostic Settings" for information on how to view and configure diagnostic settings for Oracle Delegated Administration Services |
Oracle Application Server Containers for J2EE is the servlet engine that receives Oracle Delegated Administration Services page requests. You can examine the servlet access log, named default-web-access.log, in the $ORACLE_HOME/j2ee/OC4J_SECURITY/log/OC4J_SECURITY_default_island_1 directory. You can also examine the application.log file, which contains run-time application errors, in the $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/oiddas/OC4J_SECURITY_default_island_1 directory.
Oracle HTTP Server receives requests for Oracle Delegated Administration Services pages and forwards each request to the appropriate component for further processing. For problems that may be related to Oracle HTTP Server, you can examine the log files located in the $ORACLE_HOME/Apache/Apache/logs directory. Specifically, you should examine the access_log and error_log files.
Note: If Oracle HTTP Server is configured to rotate its log files, it appends a timestamp extension to theaccess_log and error_log files. Use the timestamp extension to find the most recent files.
|
Errors that occur when Oracle Delegated Administration Services first starts are recorded in the $ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1 file, which is generated by Oracle Application Server Containers for J2EE. Check this file for error messages if the opmnctl
utility hangs or generates command-line errors when attempting to start Oracle Delegated Administration Services.
The $ORACLE_HOME/opmn/logs/ipm.log file also contains basic information regarding the OC4J_SECURITY process, which can be helpful in determining the overall health of your Oracle Delegated Administration Services implementation. Search the ipm.log file for "OC4J_SECURITY" and review any errors you find. The log file typically contains the following messages for OC4J_SECURITY:
Starting Process: OC4J~OC4J_SECURITY~default_island~1 Process Alive: OC4J~OC4J_SECURITY~default_island~1 Stopping Process: OC4J~OC4J_SECURITY~default_island~1 Process Stopped: OC4J~OC4J_SECURITY~default_island~1 Restarting Process: OC4J~OC4J_SECURITY~default_island~1
The ipm.log file also contains messages describing any problems that may have occurred with the OC4J_SECURITY process. For example, the log file will contain the following message if OPMN encounters any problems while starting the OC4J_SECURITY process:
Infra.us.oracle.com~OC4J~OC4J_SECURITY~default_island~1952317603:0 Status: NONE Operation: internal (oid dependency failed) ErrFile: String: OID
To enable or disable debugging for Oracle Delegated Administration Services, you modify the DEBUG
and DEBUG_LEVEL
flags in the $ORACLE_HOME/ldap/das/das.properties file. Table B-1 describes each flag.
Table B-1 Debugging Flags in the das.properties File
Flag | Description | Values | Default Value |
---|---|---|---|
|
Determines whether debugging is enabled |
|
|
|
Specifies the debugging level |
|
none |
The DEBUG_LEVEL
flag is only interpreted if the DEBUG
flag is assigned a value of true. Separate the value assigned to each flag with a vertical bar (|). For example, the following statements assign a value of true
to the DEBUG
flag and a value of tracing
to the DEBUG_LEVEL
flag:
DEBUG|true DEBUG_LEVEL|tracing
After modifying the das.properties file, you must restart the Oracle Delegated Administration Services instance. Before restarting Oracle Delegated Administration Services, you may want to consider deleting the existing das.log file in order to create a fresh log file that does not contain any messages from previous Oracle Delegated Administration Services instances.
This section describes how to troubleshoot problems with the Self-Service Console. It contains these topics:
You can use the diagnostic settings in Oracle Delegated Administration Services to debug your implementation without having to examine the log files. If you have configuration privileges, then you can also change the runtime logging levels without restarting Oracle Delegated Administration Services. For more information, see"Managing Diagnostic Settings".
For problems logging in, examine the $ORACLE_HOME/ldap/log/das.log file. Also, verify the following:
The URL contains the correct infrastructure host name and HTTP server port
You are using the correct redirection URL
You can successfully execute ping
and nslookup
commands from the Web client server to the infrastructure server
You can execute ldapbind
commands from both administrative and user accounts
Whether a specific set of users is failing to log in
If any user accounts are locked
See Also: Oracle Internet Directory Administrator's Guide for information on password policies in Oracle Internet Directory |
Also, verify that the following properties are correctly set in the $ORACLE_HOME/config/ias.properties file:
DAS.LaunchSuccess
IASname
InfrastructureUse
OIDhost
OIDport
OIDsslport
VirtualHostName
InfrastructureDBCommonName
Finally, ensure that the OC4J_SECURITY information in $ORACLE_HOME/opmn/conf/opmn.xml file is set correctly. The OC4J_SECURITY information is located in the following elements in the opmn.xml file:
<process-type id="OC4J_SECURITY" module-id="OC4J"> <environment> <variable id="DISPLAY" value="Infrahost.us.oracle.com:0.0"/> <variable id="LD_LIBRARY_PATH" value="/app/oracle/product/10g/infra/lib"/> </environment> <module-data> <category id="start-parameters"> <data id="java-options" value="-Djava.security.policy=/app/oracle/product /10g/infra/j2ee/OC4J_SECURITY/config/java2.policy -Djava.awt.headless=true -Xmx512m -Djava.awt.headless=true "/> <data id="oc4j-options" value="-properties"/> </category> <category id="stop-parameters"> <data id="java-options" value="-Djava.security.policy=/app/oracle/product/ 10g/infra/j2ee/OC4J_SECURITY/config/java2.policy -Djava.awt.headless=true"/> </category> </module-data> <start timeout="900" retry="2"/> <stop timeout="120"/> <restart timeout="720" retry="2"/> <port id="ajp" range="3301-3400"/> <port id="rmi" range="3201-3300"/> <port id="jms" range="3701-3800"/> <process-set id="default_island" numprocs="1"/> </process-type>
See Also: Oracle Application Server Single Sign-On Administrator's Guide for additional information on how to resolve login problems |
Oracle Internet Directory enables you to establish a password policy in which users are prompted to change their passwords after initial login. Users must change their passwords by using the Oracle Internet Directory Self-Service Console Password Change screen. Using other mechanisms may not satisfy the password change requirement, and users may be prompted to change their password again the next time they log in.
See Also: Oracle Internet Directory Administrator's Guide for information on password policies in Oracle Internet Directory |
User entries in Oracle Internet Directory that do not belong to the inetOrgPerson
object class will not appear in the Self-Service Console. You can assign user entries to an object class by using Oracle Directory Manager or the ldapmodify
command.
See Also: The Oracle Internet Directory Administrator's Guide for information on how to use Oracle Directory Manager and theldapmodify command
|
This section describes the error messages you may encounter with the Self-Service Console.
Oracle Delegated Administration Services consists of a set of pre-defined, Web-based service units for performing directory operations on behalf of users. These units enable directory users to update their own information. This section contains these topics:
See Also: Oracle Identity Management Application Developer's Guide for additional information on how to write custom applications to resolve the issues discussed in this section |
When an Oracle Delegated Administration Services service unit tries to open a new Web browser window, the new window may not open if pop-up window blocking is enabled on a client's Web browser. To avoid pop-up window blocking, you need to write a custom application that opens a new window on a local application server, and then immediately redirects the page to the Oracle Delegated Administration Services service unit.
In case the information in the previous sections was not sufficient, you can find more solutions on Oracle MetaLink, http://metalink.oracle.com
. If you do not find a solution for your problem, log a service request.
See Also:
|