readme

38
1 Oracle® Access Manager Release Notes Bundle Patch 11.1.1.3.3 Generic May 2011 This document describes the bug fixes that are included with Bundle Patch 11.1.1.3.3. This bundle patch requires a base installation of Oracle Access Manager 11g Release 1 (11.1.1.3.0) with or without bundle patches applied. This document supersedes the documentation that accompanies Oracle Access Manager 11g Release 1 (11.1.1.3.0), and earlier documents if any. This document contains the following sections: Section 1, "Documentation Accessibility" Section 2, "Bundle Patch Overview" Section 3, "Documentation" Section 4, "Bundle Patch Requirements" Section 5, "Before You Install This Bundle Patch" Section 6, "Bundle Patch Installation and Removal" Section 7, "Known Issues" Section 8, "Fixes Included in This Cumulative Bundle Patch" Section 9, "Documentation Issues Resolved in This Bundle Patch" Section 10, "Components Included with this Bundle Patch" The names of the operating systems have been shortened for this document, as follows: 1 Documentation Accessibility Our goal is to make Oracle products, services, and supporting documentation accessible to all users, including users that are disabled. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more See Also: Oracle Access Manager Release Notes for Webgate 11g (11.1.1.3) Linux, Solaris, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems, under Section 3.2, "Patch Set Notes and Bundle Patch Notes"

Upload: nageshwar-rao

Post on 24-Oct-2014

199 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: Readme

1

Oracle® Access ManagerRelease Notes

Bundle Patch 11.1.1.3.3 Generic

May 2011

This document describes the bug fixes that are included with Bundle Patch 11.1.1.3.3. This bundle patch requires a base installation of Oracle Access Manager 11g Release 1 (11.1.1.3.0) with or without bundle patches applied.

This document supersedes the documentation that accompanies Oracle Access Manager 11g Release 1 (11.1.1.3.0), and earlier documents if any. This document contains the following sections:

■ Section 1, "Documentation Accessibility"

■ Section 2, "Bundle Patch Overview"

■ Section 3, "Documentation"

■ Section 4, "Bundle Patch Requirements"

■ Section 5, "Before You Install This Bundle Patch"

■ Section 6, "Bundle Patch Installation and Removal"

■ Section 7, "Known Issues"

■ Section 8, "Fixes Included in This Cumulative Bundle Patch"

■ Section 9, "Documentation Issues Resolved in This Bundle Patch"

■ Section 10, "Components Included with this Bundle Patch"

The names of the operating systems have been shortened for this document, as follows:

1 Documentation AccessibilityOur goal is to make Oracle products, services, and supporting documentation accessible to all users, including users that are disabled. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more

See Also: Oracle Access Manager Release Notes for Webgate 11g (11.1.1.3) Linux, Solaris, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems, under Section 3.2, "Patch Set Notes and Bundle Patch Notes"

Page 2: Readme

2

information, visit the Oracle Accessibility Program Web site at http://www.oracle.com/accessibility/.

Accessibility of Code Examples in DocumentationScreen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in DocumentationThis documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

Deaf/Hard of Hearing Access to Oracle Support ServicesTo reach Oracle Support Services, use a telecommunications relay service (TRS) to call Oracle Support at 1.800.223.1711. An Oracle Support Services engineer will handle technical issues and provide customer support according to the Oracle service request process. Information about TRS is available at http://www.fcc.gov/cgb/consumerfacts/trs.html, and a list of phone numbers is available at http://www.fcc.gov/cgb/dro/trsphonebk.html.

2 Bundle Patch Overview This bundle patch must be applied to Oracle Access Manager 11g components.

Following topics provide an overview of bundle patches:

■ Section 2.1, "Bundle Patch Introduction"

■ Section 2.2, "Bundle Patch Baseline Packages"

■ Section 2.3, "Bundle Patch Package Names"

2.1 Bundle Patch Introduction A bundle patch is an official Oracle patch for Oracle Access Manager components on baseline platforms. Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes. All of the fixes in the bundle patch have been tested and are certified to work with one another. Regression testing has also been performed to ensure backward compatibility with all Oracle Access Manager components in the bundle patch, and earlier Webgates.

Each bundle patch is cumulative: the latest bundle patch includes all fixes in earlier bundle patches for the same release and platform. Fixes delivered in bundle patches are rolled into the next release.

Bundle patches are released on a regular basis and are available on My Oracle Support (formerly Oracle MetaLink). A knowledge base note, maintained by the Support team, is also available to provide a list of bundle patches and included packages. Look for Note: 736372.1 on My Oracle Support at:

http://support.oracle.com

Page 3: Readme

3

Table 1 outlines the differences between a bundle patch and a standard patch set.

2.2 Bundle Patch Baseline PackagesBundle Patch 11.1.1.3.3 provides a generic package for all supported OAM Servers.

2.3 Bundle Patch Package Names Oracle Access Manager bundle patch releases are distributed in individual platform-specific bundles (zip files). Oracle Access Manager bundle patch zip file names are based on the following:

■ BaseRelease refers to the required component release base; for this bundle patch series the release base is 11.1.1.3.0.

■ BPnn is the short name for a specific bundle patch release (BP01, for example, is also known as release 11.1.1.3.1; BP03 is also known as 11.1.1.3.3)

■ component refers to a specific Oracle Access Manager component, such as OAM Server or a specific Webgate.

■ Webserver is the Web server identifier for a Webgate

Note: To remain in an Oracle-supported state, Oracle recommends that you apply the bundle patch to all installed components for which packages are provided.

Table 1 Bundle Patches versus Patch Sets

Mechanism Description

Bundle Patch A bundle patch is an official Oracle patch mechanism for Oracle Access Manager components on baseline platforms. Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes.

This bundle patch must be applied to Oracle Access Manager 11g Release 1 (11.1.1.3.0) components.

See Also: Section 5, "Before You Install This Bundle Patch".

Patch Set Note: There is no patch set available for Oracle Access Manager 11g.

A patch set is a mechanism for delivering fully tested and integrated product fixes that can be applied to installed components of the same release. Patch sets include all of the fixes available in previous bundle patches for the release. A patch set can also include new functionality.

All of the fixes in the patch set have been tested and are certified to work with one another on the specified platforms.

Each patch set provides the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). However, a patch set might not be a complete software distribution and might not include packages for every component on every platform.

See Also: Oracle Access Manager Release Notes for Webgate 11g (11.1.1.3) Linux, Solaris, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems for details about Webgates delivered with Oracle Access Manager Bundle Patch 11.1.1.3.3

Page 4: Readme

4

Table 2 lists sample package names for Oracle Access Manager bundle patches.

3 DocumentationThis section describes the documentation that is available to support the latest bundle patch and the original release. This section provides the following topics:

■ Section 3.1, "Oracle Access Manager Manuals and Release Notes"

■ Section 3.2, "Patch Set Notes and Bundle Patch Notes"

■ Section 3.3, "Certification Documentation"

3.1 Oracle Access Manager Manuals and Release NotesYou can find release notes and manuals on Oracle Technology Network (OTN). If you already have a user name and password for OTN, you can go directly to the documentation section of the OTN Web site at:

http://www.oracle.com/technetwork/indexes/documentation/index.html

Oracle Access Manager 11g is documented in the following manuals:

■ Oracle Access Manager 11g Release 1 (11.1.1.3.0) Release Notes chapter of the Oracle Fusion Middleware Release Notes 11g Release 1 (11.1.1)

■ Oracle Fusion Middleware Installation Guide for Oracle Identity Management—Explains how to use the Oracle Universal Installer and the WebLogic Configuration Wizard for initial Oracle Access Manager 11g deployment. Installing Oracle Access Manager 11g Webgates is also covered.

■ Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service—Explains how to manage Oracle Access Manager components and policies within one or more WebLogic administration domains.

■ Oracle Fusion Middleware Integration Guide for Oracle Access Manager—Explains how to set up Oracle Access Manager to run with other Oracle and third-party products

Table 2 Bundle Patch Package Name Examples

Bundle Patch Example

Convention Oracle_Access_Manager_BaseRelease_BPnn_component.zip

OAM Server

Oracle_Access_Manager_11_1_1_3_0_BP03_generic_server_components.zip

11g Agents Convention

Oracle_Access_Manager_11_1_1_3_0_BPnn_Webserver_Webgate.zip

Example

Oracle_Access_Manager_11_1_1_3_0_BP03_OHS_Webgate.zip

OAM Identity Assertion Provider

Convention

oamAuthnProvider

Example

oracle.oamprovider_11.1.1/oamAuthnProvider.jar

Page 5: Readme

5

■ Oracle Fusion Middleware Upgrade Planning Guide

■ Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management

■ Oracle Fusion Middleware Upgrade Guide for Java EE—For information about the types of Java EE environments available in 10g and instructions for upgrading those environments to Oracle Fusion Middleware 11g.

■ Oracle Fusion Middleware Administrator's Guide—Describes how to manage Oracle Fusion Middleware, including how to change ports, deploy applications, and how to back up and recover Oracle Fusion Middleware. This guide also explains how to move data from a test to a production environment.

■ Oracle Fusion Middleware Application Security Guide—Explains deploying Oracle Access Manager 10g SSO solutions, which have been replaced by OAM 11g SSO.

■ Oracle Application Server Single Sign-On Administrator's Guide—For details about using OracleAS Single Sign-On with mod_osso to protect access to Web applications.

■ Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management—For a step-by-step guide to deployment.

■ Oracle Fusion Middleware WebLogic Scripting Tool Command Reference—Provides a section on customized Oracle Access Manager commands in the chapter "Infrastructure Security Custom WLST Commands".

3.2 Patch Set Notes and Bundle Patch NotesYou can download notes with software patches and bundle patches from My Oracle Support (formerly MetaLink) at:

http://support.oracle.com

This document, Oracle Access Manager Release Notes for Bundle Patch 11.1.1.3.3 Generic, provides the following information for this specific bundle patch release:

■ General information about bundle patches

■ General bundle patch requirements and installation details

■ Details about what is included in this bundle patch

This Oracle Access Manager Release Notes for Bundle Patch 11.1.1.3.3 Generic readme file is available in PDF format within the bundle patch distribution zip file. The file is named for the product and release (oam_111133_doc.pdf). An HTML version of this file, readme.htm, is available outside the zip file.

The Oracle Access Manager Release Notes for Webgate 11g (11.1.1.3) Linux, Solaris, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems provides the following information for Webgates delivered with Oracle Access Manager Bundle Patch 11.1.1.3.3

■ General information about bundle patches

■ General Webgate bundle patch requirements and installation details

■ Details about what is included in the Webgate bundle patch

Page 6: Readme

6

The Oracle Access Manager Release Notes for Webgate 11g (11.1.1.3) Linux, Solaris, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systemsreadme file is available in PDF format within the bundle patch distribution zip file. The file is named for the product and release (oam_111133_webgate_doc.pdf). An HTML version of this file, wg_readme.htm, is available outside the zip file.

3.3 Certification DocumentationTable 3 provides the sites where you can find certified support information and installation packages.

4 Bundle Patch Requirements Requirements for this bundle patch are discussed in the following topics:

■ Section 4.1, "Base Release for Bundle Patch 11.1.1.3.3"

■ Section 4.2, "Bundle Patch Recommendations"

4.1 Base Release for Bundle Patch 11.1.1.3.3Oracle Access Manager 11g Release 1 (11.1.1.3.0), is the required base for Bundle Patch 11.1.1.3.3.

Table 3 OAM Certification Documentation, Installers, and Readme

Certification Matrix on Oracle Technology Network

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

Certification Release Notes and Related Doc Updates on OTN

http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html

Oracle Fusion Middleware 11gR1 Software Downloads page

Oracle Fusion Middleware System Requirements and Specifications

http://www.oracle.com/technology/software/products/ias/files/fusion_requirements.htm

Non-OHS 11g Webgate Installers and Release Notes

Webgates for Oracle Access Manager 11g (other than OHS 11g Webgates), can be found on the Oracle Identity Management 10g downloads page at:

http://www.oracle.com/technology/software/products/ias/htdocs/101401.html

Oracle Access Manager - 3rd Party Integration

Release Notes include:

■ Contents of Each Download Link

■ Prerequisites

■ Overview of changes to Oracle Access Manager manuals

■ Known Issues

Page 7: Readme

7

Oracle Access Manager 11g full installers are available with Oracle Fusion Middleware 11g on the Oracle Technology Network:

http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html

Additional Webgates (non-OHS 11g Webgates) are available on:

http://www.oracle.com/technology/software/products/ias/htdocs/101401.html

4.2 Bundle Patch RecommendationsOracle recommends that you apply each bundle patch to all installed components included with the bundle patch.

Oracle also recommends that OAM Server components be at the same (or higher) bundle patch level as the installed 11g Webgate.

If a Webgate bundle patch is provided, Oracle recommends that you apply it as described in Table 4.

See Also: Oracle Access Manager Release Notes for Webgate 11g (11.1.1.3) Linux, Solaris, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems for details about Webgates delivered with Oracle Access Manager Bundle Patch 11.1.1.3.3

See Also: Oracle Access Manager Release Notes for Webgate 11g (11.1.1.3) Linux, Solaris, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems for details about Webgates delivered with Oracle Access Manager Bundle Patch 11.1.1.3.3

Table 4 Bundle Patches and Webgates

If you have ... Perform Following Steps ...

11g Release 1 (11.1.1.3.0) Webgates

Apply a Webgate bundle patch:

1. Confirm that an 11g Release 1 (11.1.1.3.0) Webgate is installed as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

2. See Section 10, "Components Included with this Bundle Patch" to learn if a Webgate is provided.

3. Confirm that the installed Webgate bundle patch level, if any, is lower than the bundle patch you intend to apply.

4. Apply the bundle patch as described in Section 6, "Bundle Patch Installation and Removal".

Earlier Webgates (release 7.x, 10.x)

Deploy an 11g Release 1 (11.1.1.3.0) Webgate with a full installer package

1. Remove the earlier Webgate (or AccessGate) using instructions in the earlier Oracle Access Manager Installation Guide.

2. Install the 11g Webgate using all specifications for the earlier Webgate and steps in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

3. Apply this bundle patch as described in Section 6, "Bundle Patch Installation and Removal".

Page 8: Readme

8

5 Before You Install This Bundle PatchBefore installing this bundle patch, Oracle recommends that you review this section and follow these instructions carefully:

■ Ensure that your system configuration is at the appropriate level:

- Oracle Access Manager 11g Release 1 (11.1.1.3.0)

- Supported Operating System

- Supported Web server release and type

■ Confirm that any currently installed bundle patch level is lower than the one you intend to install.

For example, you can install 11.1.1.3.3 on top of 11.1.1.3.3 but you cannot install 11.1.1.3.2 over 11.1.1.3.3.

■ There is no need to remove an earlier bundle patch before installing a later one.

6 Bundle Patch Installation and RemovalThis section contains the following topics to guide you as you prepare and install the bundle patch files (or as you remove a bundle patch should you need to revert to your original installation):

■ Section 6.1, "Preparing the Environment and Downloading the Bundle Patch"

■ Section 6.2, "Installing a Bundle Patch on Any Platform"

■ Section 6.3, "Failure During Bundle Patch Application"

■ Section 6.4, "Rolling Back a Bundle Patch on Any System"

6.1 Preparing the Environment and Downloading the Bundle Patch This section introduces the Oracle patch mechanism (Opatch) and requirements that must be met before applying the bundle patch. Opatch is a Java-based utility that runs on all supported operating systems and requires installation of the Oracle Universal Installer.

Note: If your system configuration does not meet support requirements, or if you are not certain that your system configuration meets these requirements, Oracle recommends that you log an Service Request to get assistance with this bundle patch. Oracle Support will make a determination about whether you should apply this bundle patch or not.

Note: Oracle recommends that always install the latest bundle patch.

Note: Oracle recommends that you have the latest version of Opatch from My Oracle Support (formerly Oracle MetaLink). Opatch requires access to a valid Oracle Universal Installer (OUI) Inventory to apply patches.

Page 9: Readme

9

The patching process uses both unzip and Opatch executables. After sourcing the ORACLE_HOME environment, Oracle recommends that you confirm that both of these exist before patching.

Perform steps in the following procedure to prepare your environment and download the bundle patch. Due to formatting constraints in this document, some sample text lines wrap around. These line wraps should be ignored.

Unless explicitly identified as relevant to only a specific condition, all steps apply to all intended Opatch usage and environments. Ignore steps that do not apply to your environment or intended Opatch use. For instance, Steps 6 and 7 are required only if you intend to use Opatch with the -auto flag for patch application. Without the Opatch Auto flag, you can skip Steps 6 and 7. Steps that relate to only a specific condition are identified with a bold condition.

Several steps instruct you to use new functionality available with this bundle patch. These steps include a link to more information.

To prepare your environment and download the bundle patch 1. Download Opatch 11.1.x (version 11.1.0.8.3 or higher is required), if needed:

a. Log in to My Oracle Support:

https://support.oracle.com/

b. Review the following notes before installing Opatch:

Note 224346.1: Opatch - Where Can I Find the Latest Version of Opatch? and, in the document, click the Patch 6880880 link which takes you to the screen where you can obtain the latest version of OPatch based on release versions and platforms.

Note 1051266.1: How To Install a WebCenter 11g Patch?

Opatch -auto Option: See Note 1146793.1, How to check/verify/modify Node Manager username & password?

Note: Ignore line wrapping in syntax examples and ignore steps that do not apply to your environment or intended Opatch use.

See Also:

■ Oracle Fusion Middleware Patching Guide

■ Oracle Universal Installer and OPatch User's Guide at http://download.oracle.com/docs/cd/E14571_01/doc.1111/e16793/toc.htm

■ Oracle Access Manager Release Notes for Webgate 11g (11.1.1.3) Linux, Solaris, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems for details about Webgates delivered with Oracle Access Manager Bundle Patch 11.1.1.3.3

Note: If you have Opatch, enter opatch --help to learn the version. If earlier than 11.1.0.8.3, you must download the latest 11.1.x version. Do not download Opatch 11.2.

Page 10: Readme

10

2. Confirm the required executables are in your system PATH, and add these if needed:

which opatch which unzip

3. Verify the OUI Inventory using the following command:

opatch lsinventory

If an error occurs, contact Oracle Support to validate and verify the inventory setup before proceeding. If the ORACLE_HOME does not appear, it might be missing from the Central Inventory, or the Central Inventory itself could be missing or corrupted.

4. Confirm that ORACLE_HOME is pointing to the correct location (MW_HOME/Oracle_IDM1) and change this if needed.

5. On the machine that will host the bundle patch files, create a directory to store the unzipped patch (referenced later as PATCH_TOP). For example:

Linux: /home/11.1.1.3.3/tmp Solaris: /opt/11.1.1.3.3/tmp Windows: C:\11.1.1.3.3\tmp

Opatch -auto Flag: Steps 6 and 7 are required only if you intend to use Opatch with the -auto flag for patch application. Without the Opatch Auto flag, you can skip Steps 6 and 7.

6. Opatch -auto Flag: Node Manager configuration:

a. Open the file nodemanager.properties in the default path:

Default Path:

MW_HOME or WebLogic_HOME/common/nodemanager/

UNIX Example:

fmw11g/wlserver_10.3/common/nodemanager/nodemanager.properties

Windows Example:

fmw11g\wlserver_10.3\common\nodemanager\nodemanager.properties

b. Add or validate the following lines in nodemanager.properties:

StartScriptEnabled=trueStopScriptEnabled=true

Note: The Opatch -auto flag uses WLST commands with the Node Manager to start or shut down required WLS servers (AdminServer, OAM Servers, or both).

Note: If nodemanager.properties is not in the default location, then starting and stopping Node Manager once creates this file.

Page 11: Readme

11

c. Ensure that the Node Manager is running using the startNodeManager script in the following path:

MW_HOME or WebLogic_HOME/server/bin/startNodeManager

UNIX startNodeManager.sh:

fmw11g/wlserver_10.3/server/bin/startNodeManager.sh

Windows startNodeManager.cmd:

fmw11g\wlserver_10.3\server\bin\startNodeManager.cmd

7. Opatch -auto Flag: Set the Machine Name and Listen Address as follows:

Configure OAM Servers:

a. Log in to the WebLogic Administration Console and go to the Domain Structure, go to Domain_Name, Environments, Machines.

b. Production Mode: Click the Lock & Edit button.

c. Create a new machine: Click the NEW button, enter a name, and choose the Machine OS (Unix, for example).

d. Select the Machine just created, go to Configuration, Node Manager, then change the Listen Address to the Host_Name for which the Node Manager is listening, then click Save.

e. In the Domain Structure, go to DOMAIN_NAME, Environments, Servers.

f. Click on each server, assign the new machine created above; within 'Listen Address' enter the name of the host where the Node Manager is running and then click the Save button.

g. Production Mode: Click the Activate Changes button.

h. Repeat for each OAM Server.

Note: Step 7 instructs you to change the server's machine name and listen address, which can be blank on a default installation. For the -auto option:

■ The machine name for each WebLogic server (including AdminServer) must be set to a specific Host_Name, not blank or none.

■ The listen address of the AdminServer and OAM Servers must be set to a real physical host address (hostname, FQDN, or IP address), not blank or localhost.

After this, you must connect to WLST (or the Administration Console) using this Host_Name (not "localhost"). Explicit Host_Name usage is required while accessing WLST or the Administration Console.

Note: With the WebLogic Server in Development Mode, ignore Steps labeled for Production Mode.

Page 12: Readme

12

Configure AdminServer:

a. From the WebLogic Administration Console, Stop the AdminServer and all OAM Servers.

b. Production Mode: Backup and modify the existing config.xml as follows:

—Back up the existing config.xml file for the WebLogic domain. For example, the default path is:

MW_HOME/user_projects/domains/DOMAIN_NAME/config/config.xml

—Modify config.xml to search for the <name>AdminServer</name> entry and add the following entries beneath it:

--------------------------------------------------<machine>[HOST_NAME]</machine><listen-address>[HOST_NAME]</listen-address>--------------------------------------------------

—Save config.xml.

c. Development Mode: Click AdminServer, assign the machine created earlier and click the Save button; within 'Listen Address' enter the name of the host where the Node Manager is running and click the Save button.

d. Change the hostname verification for AdminServer.

—Production Mode: Click the Lock & Edit button.

—In the Domain Structure, go to DOMAIN_NAME, Environments, Servers.

—Click AdminServer, then within the Configuration tab and over the SSL subtab.

—Click within the Advanced link and then change the Hostname Verification to None, and click the Save button.

—Production Mode: Click the Activate Changes button.

e. Restart the Node Manager, AdminServer, and all OAM Servers.

If AdminServer does not start, restore config.xml and contact Oracle Support.

8. Retrieve the Bundle Patch:

a. From My Oracle Support, click the Patches & Updates link.

b. Enter the Patch ID or Number, then click Search to display a Patch Search Results table.

c. Using the Release and Platform columns, find the desired patch, then click the associated Patch ID.

Note: Specific steps for the WebLogic Server in Development Mode, and Production Mode, are labeled.

Page 13: Readme

13

d. Download: In the page that appears, click the Download button to retrieve the packages.

9. Stop all OAM Servers and AdminServer.

10. Unzip the patch zip file into the PATCH_TOP directory you created earlier. For example:

unzip -d PATCH_TOP p12365301_111130_Generic.zip

11. On AdminServer and OAM Servers, copy the following files:

config.jar configmgmt.jar mapstore-coherence.jar

From: patch/files/oam/server/lib/jmx

To: DOMAIN_HOME/config/fmwconfig/mbeans/oam

12. On AdminServer and OAM Servers, copy RequestResponseXMLSchema.xsd to your domain location. For example:

From: patch/files/oam/server/config/RequestResponseXMLSchema.xsd

To: DOMAIN_HOME/config/fmwconfig

13. Remove mod-osso Agent Custom Cookies on Logout: First back up and then edit DOMAIN_HOME/config/fmwconfig/oam-config.xml as follows:

a. Back up DOMAIN_HOME/config/fmwconfig/oam-config.xml.

b. Delete Custom mod-osso Agent Cookies on Logout: In oam-config.xml, add the CookieDelMap element and CookieNames (one value or a comma-separated list of custom cookies to delete when a user logs out).

See also the fix for bug 10216429 in Table 7, " Details of Cumulative Bundle Patch 11.1.1.3.3".

Syntax:

<Setting Name="CookieDelMap" Type="htf:map"> <Setting Name="CookieNames" Type="xsd:string">COOKIE_NAME</Setting></Setting>

Example (beneath PluginClass" Type=...):

Note: Step 13 describes how to delete mod-osso agent custom cookies on logout. If you already have an OAM domain, perform the Step 13 now. Otherwise, perform Step 13 after you have configured an OAM domain.

Note: Steps 13b-c describe editing oam-config.xml to configure the OAM Server to delete custom cookies (set during authentication) when a user logs out of OAM. For instance, when integrating with Oracle E-Business Suite, the ORASSO_AUTH_HINT cookie is set by the application and should be included in the CookieNames list in Step b.

Page 14: Readme

14

<Setting Name="ResponsePluginSetting" Type="htf:map"> <Setting Name="PluginClass" Type=... </Settings> <Setting Name="CookieDelMap" Type="htf:map"> <Setting Name="CookieNames" Type="xsd:string">ORASSO_AUTH_HINT </Setting> </Setting></Setting>

c. Set ossoproxy, ResponsePluginEnabled to true to enable execution of clearing the named cookies’ values on OSSO-channel.

d. Configuration Version: Increment the Version xsd:integer as shown in the next to last line of this example (existing value + 1):

Example:

<Setting Name="Version" Type="xsd:integer"> <Setting xmlns="http://www.w3.org/2001/XMLSchema" Name="NGAMConfiguration" Type="htf:map:> <Setting Name="ProductRelease" Type="xsd:string">11.1.1.3</Setting> <Setting Name="Version" Type="xsd:integer">2</Setting></Setting>

14. Set Security Level for Error Messages: First back up and then edit DOMAIN_HOME/config/fmwconfig/oam-config.xml as follows:

a. Back up DOMAIN_HOME/config/fmwconfig/oam-config.xml.

b. Set Security Level for Error Messages: Under ssoengine, add the elements in following examples after reviewing "Details of Fix for Bug 10030171" on page 30):

Syntax:

<Setting Name="ErrorConfig" Type="htf:map"> <Setting Name="ErrorMode" Type="xsd:string">[Error Message Level] </Setting> </Setting>

Example:

<Setting Name="ssoengine" Type="htf:map"> <Setting Name="ErrorConfig" Type="htf:map"> <Setting Name="ErrorMode" Type="xsd:string">EXTERNAL</Setting> </Setting>

Note: Perform Step 13d only if you are updating oam-config.xml manually while OAM servers are running. This will increment the configuration version and have the server recognize and apply the changes. If servers are not running, while applying the bundle patch for instance, skip Step d.

Note: Step 14 describes editing oam-config.xml to have the OAM Server set error message levels for increased security. See "Details of Fix for Bug 10030171" on page 30.

Page 15: Readme

15

c. Configuration Version: Increment the Version xsd:integer as shown in the next to last line of this example (existing value + 1):

Example:

<Setting Name="Version" Type="xsd:integer"> <Setting xmlns="http://www.w3.org/2001/XMLSchema" Name="NGAMConfiguration" Type="htf:map:> <Setting Name="ProductRelease" Type="xsd:string">11.1.1.3</Setting> <Setting Name="Version" Type="xsd:integer">3</Setting></Setting>

15. Migrated OSSO Environment: Oracle recommends that you apply the bundle patch before starting migration. However, if the environment is already migrated, perform the following steps:

a. In OAM Administration Console, Policy Configuration tab, Shared Components node, edit the host identifier of 'migratedSSOPartners' to add the following two entries:

Host Name = migratedSSOPartners, Port = 80Host Name = migratedSSOPartners, Port = (empty value to be set for port)

b. Turn off the Web server associated with the protected application.

c. Back up your ORACLE_HOME.

d. Move the backup directory to another location and record this so you can locate it later, if needed.

16. Proceed to Section 6.2, "Installing a Bundle Patch on Any Platform":

6.2 Installing a Bundle Patch on Any PlatformThis section describes how to install components in the bundle patch on any platform using Oracle patch (Opatch). While individual command syntax might differ depending on your platform, the overall procedure is the same.

The files in each bundle patch are installed into the destination ORACLE_HOME. This enables you to remove (roll back) the bundle patch even if you have deleted the original bundle patch files from the temporary directory you created.

Oracle recommends that you back up the ORACLE_HOME using your preferred method before any patch operation. You can use any method (zip, cp -r, tar, and cpio) to compress the ORACLE_HOME.

When Opatch starts, it validates the patch to ensure there are no conflicts with the software already installed in your ORACLE_HOME:

■ Conflicts with a patch already applied to the ORACLE_HOME. In this case, stop the patch installation and contact Oracle Support Services.

Note: Perform Step 14c only if you are updating oam-config.xml manually while OAM servers are running. This will increment the configuration version and have the server recognize and apply the changes. If servers are not running, while applying the bundle patch for instance, skip Step c.

Page 16: Readme

16

■ Conflicts with subset patch already applied to the ORACLE_HOME. In this case, continue installation because the new patch contains all the fixes from the existing patch in the ORACLE_HOME. The subset patch is automatically rolled back before installation of the new patch begins.

This patch is -auto flag enabled. You can choose to apply the patch with or without the -auto flag. Table 5 describes the Opatch application modes. The following procedure includes steps for both modes.

Secure Communication: When using the -auto flag in Open security mode, you might see a WARNING after running the opatch apply -auto command. Oracle recommends that you review the log file for more information. For example:

The following warnings have occurred during Opatch execution: 1) OUI-67851:All the applications affected by this patch are deployed in 'No Stage' mode.Redeploy operation will not be performed for the affected applications.Please refer to the log file for more details

Migration from OSSO 10g to OAM 11g: The administrator must explicitly set the Identity Store (migratedUserIdentityStore) as the primary store, and also ensure that migratedUserIdentityStore is updated with the necessary Administrator Group to access Oracle Access Manager Console. This enables users to log in to and out of integrated Partner Applications (DAS 10g and Oracle E-Business Suite, for example) as a valid user (defined in your Oracle Internet Directory data store. Exactly when you perform this task depends on when the migration from OSSO 10g to OAM 11g occurs:

Table 5 Opatch Application Modes

Mode Description

opatch apply -auto

On Windows:

opatch apply -auto -domain domain_name

With the -auto option, Opatch bounces all local servers (and servers sharing the Middleware Home) affected by the patch. Also:

■ AdminServer and Node Manager must be running.

■ OAM Servers may be running or not. If not running, you must start these servers to uptake the patch (OPatch does not).

■ Opatch expects secure connections. In Open mode, you might see a WARNING after running opatch apply -auto. See details after this table.

With the -auto option, Opatch interviews you for the following inputs. Ensure that the values you enter are correct and complete to avoid patch failures:

AdminUser: The WebLogic AdminServer usernameAdminPassword: The WebLogic AdminServer passwordAdminServerURL: The WebLogic AdminServer URLDomainHome: The WebLogic domain directory locationApplicationsDir: WebLogic applications directory locationOn Windows system, include the -domain option and the domain name.

opatch apply Without the -auto flag:

■ No servers need to be running.

Page 17: Readme

17

■ Migration Before Bundle Patch 11.1.1.3 Installation: Apply Bundle Patch 11.1.1.3, then reset the primary Identity Store (migratedUserIdentityStore) before logging in to integrated Partner Applications.

■ Migration After Bundle Patch 11.1.1.3 Installation: Reset the primary Identity Store after migration and before logging in to integrated Partner Applications.

In either event, see Step 10 in "To install a bundle patch on any platform". Administrators can use either the Oracle Access Manager Console or WLST commands to accomplish this task. Step 10 describes this using the console.

To install a bundle patch on any platform1. Complete all activities in Section 6.1, "Preparing the Environment and

Downloading the Bundle Patch".

2. Log in as the same user who installed the base product and:

a. Stop the OAM Server to which you will apply this bundle patch, and any application that uses this component.

b. Turn off the Web server associated with the protected application.

c. Back up your ORACLE_HOME.

d. Move the backup directory to another location and record this so you can locate it later, if needed.

3. Set your current directory to the directory where the patch is located. For example:

cd PATCH_TOP/12365301

4. Use the desired Opatch command to apply the patch to your ORACLE_HOME:

Without Auto Flag: opatch apply

Auto Flag: opatch apply -auto

Auto Flag on Windows: opatch apply -auto -domain domain_name

5. Auto Flag: Provide details as you are prompted for them (see Table 5), check for any WARNING messages then review the log file if needed.

6. Test to Production: When migrating a selected partner, retrieve the partner ID from the test system’s oam-config.xml. For example, if the partner ID for the OSSO Agent with site name 'TEST_OSSO_AGENT2' is

Note: Opatch operates on one instance at a time. If you have multiple instances, you must repeat these steps for each instance.

Note: Step 6 is needed only when migrating from a test environment to a production environment. Here you are instructed to edit oam-config.xml. Oracle recommends that you back up the current oam-config.xml before editing.

Page 18: Readme

18

998AF964144D39BC2F, as shown here (see also the fix for bug 10119361 in Table 7, " Details of Cumulative Bundle Patch 11.1.1.3.3"):

<Setting Name="998AF964144D39BC2F" Type="htf:map"><Setting Name="AdminId" Type="xsd:string"></Setting><Setting Name="SiteName" Type="xsd:string">TEST_OSSO_AGENT2</Setting>

Then execute the following command from the WLST prompt:

exportSelectedPartners(pathTempOAMPartnerFile="<path where the temporary file need to be generated>",partnersNameList="998AF964144D39BC2F")

7. Remove the class files from the following directory (without erasing any jsp files you might have customized or configuration changes made to the deployment):

<DOMAIN_HOME>/servers/<Managed_server_name>/tmp/_WL_user/oam_server/ xrd2uw/jsp_servlet/_pages/*.class

8. Multiple Instances: Repeat Steps 1-7 to apply the bundle patch to each instance throughout your installation.

9. Without -auto Flag: Restart servers (AdminServer and all OAM Servers), as needed (see Table 5).

10. Migration from OSSO 10g to OAM 11g: Reset the primary Identity Store (migratedUserIdentityStore) before logging in to the integrated Partner Applications:

a. From the Oracle Access Manager Console, System Configuration tab, expand Data Sources, and expand User Identity Stores.

b. In the navigation tree, double-click the name MigratedUserIdentityStore.

c. Click the Set as Primary button.

d. Click Apply.

e. Log in to integrated Partner Applications, as usual.

Step 11 describes how to enable SSL in an E-Business Suite partner application OAM Server and AdminServer.

11. Enable SSL for OAM Server:

a. Create a Wallet, Certificates, and keystore file.

b. From the WebLogic Server Administration Console, configure SSL for AdminServer and oam_server1.

c. Enable the SSL port for both AdminServer and oam_server1.

Note: Caveats:

■ Migration Before Bundle Patch 11.1.1.3 Installation: Apply Bundle Patch 11.1.1.3, then reset the primary Identity Store.

■ Migration After Bundle Patch 11.1.1.3 Installation: Reset the primary Identity Store after migration.

Page 19: Readme

19

d. Specify the same keystore file for Node Manager in the nodemanager.properties file.

Default Path:

MW_HOME or WebLogic_HOME/common/nodemanager/

UNIX Example:

fmw11g/wlserver_10.3/common/nodemanager/nodemanager.properties

Windows Example:

fmw11g\wlserver_10.3\common\nodemanager\nodemanager.properties

e. Confirm that the SSL enabled application correctly redirects to the SSL-enabled Oracle Access Manager SSO Login page, and that you can log in and access the application as expected.

f. Back up DOMAIN_HOME/config/fmwconfig/oam-config.xml.

g. Update logoutRedirectUrl for IDMDomainAgent: In oam-config.xml, modify the logoutRedirectUrl parameter from http to https and change the http port to the https port).

Syntax:

<Setting Name="IDMDomainAgent" Type="htf:map">> <Setting Name="logoutRedirectUrl" Type="xsd:string">https://host:<httpsport>/oam/server/logout></Setting>

h. Configuration Version: Increment the Version xsd:integer as shown in the next to last line of this example (existing value (3) + 1):

Example:

<Setting Name="Version" Type="xsd:integer"> <Setting xmlns="http://www.w3.org/2001/XMLSchema" Name="NGAMConfiguration" Type="htf:map:> <Setting Name="ProductRelease" Type="xsd:string">11.1.1.3</Setting> <Setting Name="Version" Type="xsd:integer">3</Setting></Setting>

6.3 Failure During Bundle Patch Application If there is a failure during your installation of the bundle patch, your original installation is restored automatically.

You can check the window to see if you can discern the problem, then correct the problem and restart the bundle patch installation.

Note: Steps 11g-h describe editing oam-config.xml to configure the OAM Server for SSL through the AdminServer.

Note: Restart the OAM Server.

Page 20: Readme

20

6.4 Rolling Back a Bundle Patch on Any System The steps to remove a bundle patch from all systems are provided in the following procedure, if needed. While individual command syntax might differ depending on your platform, the overall procedure is the same.

After unpatching, the bundle patch is removed and the system is restored to the state it was in immediately before patching.

Rolling back a bundle patch is described in the following steps.

To roll back a bundle patch on any system1. Perform all steps in Section 6.1, "Preparing the Environment and

Downloading the Bundle Patch" to verify the inventory, set any environment variables, shut down any services running from the ORACLE_HOME or host machine.

2. Change to the directory where the patch was unzipped. For example:

cd PATCH_TOP/12365301

3. Back up the ORACLE_HOME directory that includes the bundle patch and move the backup to another location so you can locate it later, if needed.

4. Run Opatch to roll back the patch. For example:

Without Auto Flag: opatch rollback -id 12365301

Auto Flag: opatch rollback -id 12365301 -auto

Auto Flag on Windows:

opatch rollback -id 12365301 -auto -domain domain_name

5. Without Auto Flag: Restart servers (AdminServer and all OAM Servers) as needed based on the mode you are using.

6. Start the OAM Servers. For example: oam_server1.

7 Known IssuesTable 6 identifies any known issues with this bundle patch release.

Note: The unpatching process overrides any manual configuration changes introduced within an environment. These changes must be re-applied manually after unpatching.

See Also: Oracle Fusion Middleware Release Notes for known issues with the full-installer release

Page 21: Readme

21

Table 6 Known Issues in this Bundle Patch

Bundle Patch Number

Base Bug Number Description of the Problem

11.1.1.3.3 12370178 Manual changes are required to oam-config.xml after enabling SSL on the WebLogic Administration Server and OAM Server to ensure logout on the SSL-enabled port.

See Also: Step 11 of "Installing a Bundle Patch on Any Platform" on page -15.

11.1.1.3.2 11659513 OSSO 'Paranoid' mode enables Oracle E-Business Suite to enforce re-authentication upon session timeout and restrict the number of sessions for a user.

Protocol Compatibility: OSSO 'Paranoid' mode, and its dynamic directive, are not currently supported.

After the SSA session has expired and you try to re-establish the same session, the session goes into a continuous loop with the following error:

page is not redirecting properly

Workaround: Disable OSSO 'Paranoid' mode before migrating to Oracle Access Manager 11g.

See Also: 'Session Timeout Behavior' in Oracle Applications System Administrator's Guide, Security Release 12: http://download.oracle.com/docs/cd/B34956_01/current/acrobat/120sasg.pdf.

11.1.1.3.2 7508615 After successful authentication, if you click the Back button in the browser window, you might get an error for access/oblix/apps/webgate/bin/webgate.so.

When form-based authentication is used, Oracle Access Manager creates a form login cookie that holds information about the requested resource. On successful authentication, the state of the cookie changes. When the user clicks the Back button, the login form appears. When re-posted, the form login cookie no longer holds redirection details.

The ObSSOCookie is also sent with the form login cookie.The ObSSOCookie is correctly checked. As the form login cookie state changes, the form-based authentication does not occur and the form action is considered as a request for the resource.

Page 22: Readme

22

11.1.1.3.2 10250316 Currently there is no process or tool that enables you to upgrade Oracle Access Manager 10g to Oracle Access Manager 11g. Oracle recommends a fresh installation of Oracle Access Manager 11g.

Currently there is no process or tool that enables you to upgrade an integration between Oracle Identity Federation and Oracle Access Manager 10g to Oracle Identity Federation and Oracle Access Manager 11g.

Currently there is no process or tool to copy files or a 10g configuration to 11g.

Until these issues are resolved, Oracle recommends that you:

■ Install Oracle Access Manager 11g as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

■ Reconfigure the Oracle HTTP Server to use an agent that is supported by Oracle Access Manager 11g.

■ Register the agent with Oracle Access Manager 11g to open a trusted connection.

■ Recreate earlier policies in an Oracle Access Manager 11g application domain (to match the 10g policy domain).

■ Add resources to the Oracle Access Manager 11g application domain.

■ Assign a pre-defined authentication scheme for Oracle Identity Federation and confirm that all Oracle Identity Federation information is correct.

For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

11.1.1.3.1 10067646 A resource protected by an agent should be accessible using the transport security of the agent.

The IDM Domain Agent does not support Simple or Cert mode security for communication with OAM 11g. If a resource is protected by the IDM Domain Agent with Simple or Cert mode security, there is no authentication request. Instead, the resource is displayed directly with authentication that falls back to the container policy.

You can protect the OAM Console using OHS Webgate 11g. The OAM Console port becomes either 7778 or the OHS port for the Webgate.

Table 6 (Cont.) Known Issues in this Bundle Patch

Bundle Patch Number

Base Bug Number Description of the Problem

Page 23: Readme

23

8 Fixes Included in This Cumulative Bundle PatchThis bundle patch provides specific fixes for core components on all platforms. The latest bundle patch is cumulative and includes all fixes in all previous bundle patches for the specified product release. Table 7 identifies the fixes in this bundle patch release.

11.1.1.3.1 6880880 After using Opatch, a message appears: "The local system has been patched and can be restarted."

Workaround:

Use the latest release of Opatch available from My Oracle Support, as described in "Preparing the Environment and Downloading the Bundle Patch" on page 8.

Table 7 Details of Cumulative Bundle Patch 11.1.1.3.3

Bundle Patch Number

Base Bug Number Description of the Problem Solved

11.1.1.3.3 11856935 Resolves an issue that occurred when the Webgate "Logout URL" value was entered with UPPERCASE letters in the CALLBACK portion of the URL. An error occurred when you clicked Apply.

This is fixed; uppercase letters are accepted.

11.1.1.3.3 12361509 Resolves an issue that occurred when a large number of resources exist in an application domain, and adding a new resource to an authorization policy took an excessive amount of time to complete.

The performance of this function has been improved.

11.1.1.3.3 11794469 Resolves an issue with OSSORegRequest.xml file.

This is fixed. Identical versions of this file are available from the following paths:

$ORACLE_HOME/oam/server/rreg/client/RReg.tar.gz/RReg.tar.gz

$ORACLE_HOME/oam/server/rreg/input

11.1.1.3.3 11705432 Resolves an issue that occurred when accessing a protected resource with query parameters using OAAMAdvanced Authentication Scheme. After authentication, the query parameters were missing from the URL.

This is fixed. The query parameters should be available with the resource.

11.1.1.3.3 10268749 Resolves a flaw that prevented the display of agent monitoring data and instead displayed an error "No Data Available"

This is fixed in this release.

Table 6 (Cont.) Known Issues in this Bundle Patch

Bundle Patch Number

Base Bug Number Description of the Problem

Page 24: Readme

24

11.1.1.3.3 9811736 Resolves an issue that occurred on the Coherence tab when local port and log limit exceeded the upper limit yet you were allowed to save these.

This is fixed. The validation check discovers values that exceed the upper limit and prohibits saving these.

11.1.1.3.3 11902502 Resolved an issue that occurred when the password expired. This is fixed in this release.

See Also: "Details of Fix for Bug 11920502" on page -29.

11.1.1.3.3 10117249 Resolves an issue where the IDMDomain agent set the expiry of OAMAuthnCookie to 1 day. When the user accessed any resource, the cookie was not deleted even when the user closed the browser without logout.

This is fixed in this release.

11.1.1.3.2 11812090 New path to remote registration template, and updated remote registration template for OSSO requests.

See Also:"Details of Fix for Bug 11920502" on page 29.

11.1.1.3.2 10030171 Added support for security ErrorModes with different error codes for each mode. You can set the URL of a custom application-specific error page, and you can modify the custom page to read the error code sent by OAM.

The ErrorMode you choose determines the nature of error messages and error codes returned by the OAM Server when an operation fails (because of an invalid username or password, for example, or a server error (connection to the LDAP Server is down)). With this setting, error messages can be configured with varying degrees of security:

■ SECURE: Most secure. Provides generic error messages that barely give any hint of the internal reason for the error.

■ EXTERNAL: Recommended level.

■ INTERNAL: Least secure level.

■ OSSO10g: Compatible with OSSO 10g. Might be required in upgraded environments for consistency.

For an example, see Step 13c in Section 6.1, "Preparing the Environment and Downloading the Bundle Patch".

See Also: "Details of Fix for Bug 10030171" on page 30 for a look at the new error codes.

Table 7 (Cont.) Details of Cumulative Bundle Patch 11.1.1.3.3

Bundle Patch Number

Base Bug Number Description of the Problem Solved

Page 25: Readme

25

11.1.1.3.2 10358262 Resolves an issue where Logout and Failure URLs were modified during an OSSO Agent update, not during remote registration.

Now, you can add new parameters to include the Logout and Failure URLs to OSSORequest.xml for consumption during remote registration.

Syntax

<logoutUrl>logout1.html</logoutUrl><failureUrl>failure1.html</failureUrl>

See Also:"Details of Fix for Bug 11920502" on page 29 for a look at the entire OSSO remote registration template.

11.1.1.3.2 10366135 Resolves an issue that allowed more than 60 characters for an OSSO 10g Agent name during remote registration when the host ID name was less than 60 characters and the autoCreate parameter was set to false.

With this fix, the remote registration tool restricts the agent name length to 60 characters, which matches the OAM Administration Console restriction on the agent name.

11.1.1.3.2 10074740 Resolves an issue that caused a NullPointerException when trying to edit an authentication policy with more than one response.

11.1.1.3.2 10246619 Resolves an issue that occurred when creating a new Agent using the OAM Administration Console and the name exceeded 30 characters.

This is fixed in this release. The maximum length name for all elements in the OAM Administration Console is 60 characters.

11.1.1.3.2 10374715 Resolves an issue that caused the resource modify operation to fail if the resource URL was not changed. If the resource URL was also changed the modification succeeded.

This is fixed in this release.

11.1.1.3.2 10268728 Resolves an issue that caused oamtest to fail to connect to the OAM Server when run under certain locales.

This is fixed in this release.

11.1.1.3.2 10395803 Resolves an issue that caused data source connection leaks to occur when Session Management-related SQL exceptions occurred.

11.1.1.3.2 10231560 When creating an OSSO Agent in the OAM Console, you could not choose a token version other than v3.0. However, with remote registration you could choose a token version for applications using other versions.

This is fixed in this release.

11.1.1.3.2 10324002 Resolves an issue that occurred when modifying an OSSO Agent using the OAM Console. After clicking Apply, there is a java.lang.NullPointerException error and the modification is not saved.

This is fixed in this release.

Table 7 (Cont.) Details of Cumulative Bundle Patch 11.1.1.3.3

Bundle Patch Number

Base Bug Number Description of the Problem Solved

Page 26: Readme

26

11.1.1.3.2 10414606 Resolves an issue that caused an error on logout when the Done URL passed during OAM single sign-off contained URL parameters with an empty value. URL parsing failed and an error page was shown.

This is fixed in this release.

11.1.1.3.2 10268943 Added support for the oldest OSSO token versions v1.0 and v1.1. Support for these tokens is implemented for GIT.

11.1.1.3.2 10186552 Resolves improperly implemented log statements for exceptions in for the identity store.

11.1.1.3.2 9927402 Resolves an issue that caused any change to OAM configuration to produce spurious harmless re-initialization, which manifested as Null Pointer exceptions in the logs.

This is fixed in this release.

11.1.1.3.2 10119361 Adds support for migrating partner (OSSO) information from one OAM instance to another.

For an example, see Step 6 "Test to Production" in Section 6.2, "Installing a Bundle Patch on Any Platform".

11.1.1.3.2 10216429 Resolves an issue that occurred after logging out from an application. Certain cookies (UCM Cookies, for example) were not deleted.

Adds a configuration option for deleting custom cookies set by OAM Server through response settings.

For an example, see Step 13b in Section 6.1, "Preparing the Environment and Downloading the Bundle Patch".

11.1.1.3.2 10414487 Resolves an issue that occurred in co-exist mode. If a user logged out of the SSO-enabled application and then tried to move to another application (for which he is already logged in), a login page appeared. After logging in to the second application again, a Forbidden 403 error occurred.

This is fixed in this release.

11.1.1.3.2 10101919 Resolves an issue that occurred when you created an authorization policy with more than one response. If you closed the authorization policy page and reopened it in Edit mode, a NullPointerException occurred if you edited the master table and clicked Apply.

This is fixed in this release.

11.1.1.3.2 11808098

10312014

11653678

10409363

10250303

10319761

10374189

See Also: Table 9, "Documentation Issues Resolved in This Bundle Patch".

Table 7 (Cont.) Details of Cumulative Bundle Patch 11.1.1.3.3

Bundle Patch Number

Base Bug Number Description of the Problem Solved

Page 27: Readme

27

11.1.1.3.1 10046811 Resolves a performance issue related to fetching user attributes specified as responses in authentication and authorization policies. This resulted in a large load on, and network round trips to the Identity Store.

This fix allows administrators to specify a list of user attributes to be cached at the time of user login such that no more round trips to the Identity Store are needed for subsequent fetches of user attributes.

11.1.1.3.1 10028066 Resolves an issue with policy processing caused by improper evaluation of Deny constraints and responses.

This is fixed in this release.

11.1.1.3.1 10023607 Resolves a persistence issue that resulted in a session attribute being set as null. The consequence was an error message, and the offending attribute was not stored. If the session was subsequently loaded from the database, the attribute would not exist.

This is fixed in this release.

11.1.1.3.1 10021797 Resolves an issue that occurred after following steps in "Configuring Single Sign-on for Administration Consoles" in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management. The result was a "404 Not Found" error when accessing a protected application deployed on WebLogic with a valid authorized user credential.

This is fixed in this release.

11.1.1.3.1 10021199 Resolves a potential issue that could allow certain browsers to double post after submitting credentials. After clicking the button on the default credential collector page to submit information, the button is disabled.

This is fixed in this release.

11.1.1.3.1 10015029 Resolves issues that could be caused when a migrated identity store (created on the initial upgrade run), was made the primary identity store and displaced the previous primary store.

This is fixed in this release. The created identity store is not activated automatically.

11.1.1.3.1 9969090 Resolves an issue that caused a "500 Internal Server Error" after accessing an OAM 11g-protected page and then immediately accessing an Oracle Identity Federation logout page.

This is fixed in this release.

11.1.1.3.1 10063987 Resolves an issue that caused the session count limit to be bypassed.

This is fixed in this release.

11.1.1.3.1 9948987 Resolves an issue that caused the OSSO 10g co-existence logs to show a message id instead of the actual message.

This is fixed in this release.

Table 7 (Cont.) Details of Cumulative Bundle Patch 11.1.1.3.3

Bundle Patch Number

Base Bug Number Description of the Problem Solved

Page 28: Readme

28

11.1.1.3.1 9947699 Resolves an issue that caused an "Action failure" issue when accessing a page protected with ADF Authentication.

This is fixed in this release.

11.1.1.3.1 9936385 Resolves an Oracle Access Manager audit report issue that resulted in error ORA-00923 when operating with an older version of Oracle Database.

This is fixed in this release.

11.1.1.3.1 9927123 Resolves an issue that caused poor performance when adding resources to protect in the application domain IDMDomain Agent.

This is fixed in this release.

11.1.1.3.1 9916485 Resolves an issue that occurred after integrating OAM and Windows Native Authentication. Kerberos negotiation seemed to succeed but you were not prompted for OAM SSO login (or basic authentication popup). The target WebLogic Server log reported <SSOFilter: SSO Tokens Present - No User in Session>.

This is fixed in this release.

11.1.1.3.1 9908111 Resolves an issue that delayed or prevented Policy Configuration tab navigation tree refresh after registering a Webgate on the System Configuration tab.

This is fixed in this release.

11.1.1.3.1 9866707 Increases the runtime efficiency of IP4 address range constraint evaluation.

11.1.1.3.1 9979140 Resolves a problem of improper policy evaluation for hierarchical resource-pattern-based policies.

11.1.1.3.1 10059867

9956832

Adds a new parameter to the Sessions tab under OAM Server Common Settings: Database Persistence of Active Sessions Enabled (checked by default).

To disable database persistence for active sessions, clear the checkbox and restart the OAM Servers.

The Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service will be updated to include the new information.

11.1.1.3.1 9919231 Resolves an issue that occurred after successfully protecting a resource after using Non-ASCII 11g Webgate names on computers with native server locales (Windows and Non-UTF8 Linux server locales). An "Action failed.Please try again." message appears on the SSO page.

This is fixed in this release.

Table 7 (Cont.) Details of Cumulative Bundle Patch 11.1.1.3.3

Bundle Patch Number

Base Bug Number Description of the Problem Solved

Page 29: Readme

29

Details of Fix for Bug 11920502When a password expired, the error code returned to the custom login page by the OAM Server was the same error code returned for invalid credentials. Error code OAM-10 has been added for this type of failure.

Bundle patch 11.1.1.3.3 adds error code OAM-10 to security modes that determine the nature of error messages returned by the OAM Server when an operation fails. Choose one of the following settings to configure error messages with varying degrees of security for your custom login pages:

■ SECURE: Most secure.

■ EXTERNAL: Recommended level.

■ INTERNAL: Least secure level.

■ OSSO10g: Compatible with OSSO 10g.

Table 8 identifies the new error codes, trigger conditions, and recommended messages.

11.1.1.3.1 9005892

10027991

10036037

10036252

10043664

10043668

10043673

10043737

10046441

10049963

10051423

10023625

10059867

10063999

Resolves documentation bugs. Look for information on these bug fixes in Table 10, " 11g Release 1 (11.1.1.3.0) Documentation Issues Resolved".

See Also: "Details of Fix for Bug 10030171" on page 30 for more information on External Error Codes.

Table 8 Added External Error Codes, Trigger Conditions, and Recommended Messages

External Error Code Trigger Condition

Recommended Display Message

OAM-10 Password expired. The password has expired.

Table 7 (Cont.) Details of Cumulative Bundle Patch 11.1.1.3.3

Bundle Patch Number

Base Bug Number Description of the Problem Solved

Page 30: Readme

30

Details of Fix for Bug 11812090Updated the path to the remote registration request files. The new location will appear in the next release of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service, as shown here:

$ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz

The following updated OSSORequest.xml template will also appear in the next release of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

Example 1 Updated OSSORequest.xml

<OSSORegRequest> <serverAddress>http://{oam_admin_server_host}:{oam_admin_server_port} </serverAddress> <hostIdentifier>RREG_HostId</hostIdentifier> <agentName>RREG_OSSO</agentName> <agentBaseUrl>http://{web_server_host}:{web_server_port} </agentBaseUrl> <applicationDomain>RREG_OSSO</applicationDomain> <autoCreatePolicy>true</autoCreatePolicy> <ssoServerVersion>v3.0</ssoServerVersion> <oracleHomePath>$ORACLE_HOME</oracleHomePath> <virtualHost></virtualHost> <updateMode></updateMode> <adminInfo></adminInfo> <adminId></adminId> <logoutUrl>logout1.html</logoutUrl> <failureUrl>failure1.html</failureUrl></OSSORegRequest>

Details of Fix for Bug 10030171 Bundle patch 11.1.1.3.2 adds support for security modes with different error codes for each mode. The setting you choose determines the nature of error messages and error codes returned by the OAM Server when an operation fails (because of an invalid username or password, for example, or a server error (connection to the LDAP Server is down).

Choose one of the following settings to configure error messages with varying degrees of security for your custom login pages:

■ SECURE: Most secure. Provides generic error messages that barely give any hint of the internal reason for the error.

■ EXTERNAL: Recommended level.

■ INTERNAL: Least secure level.

■ OSSO10g: Compatible with OSSO 10g. Might be required in upgraded environments for consistency.

For an example, see Step 13d in Section 6.1, "Preparing the Environment and Downloading the Bundle Patch".

Table 9 identifies the error codes, trigger conditions, and recommended messages.

See Also: "Details of Fix for Bug 11920502" on page 29.

Page 31: Readme

31

9 Documentation Issues Resolved in This Bundle PatchTable 10 lists the documentation issues that have been identified in manuals describing Oracle Access Manager 11g Release 1 (11.1.1.3.0). These books will be updated during the next release of the product.

Table 9 External Error Codes, Trigger Conditions, and Recommended Messages

External Error Code Trigger Condition

Recommended Display Message

OAM-1 Invalid login attempts less than the allowed count.

An incorrect Username or Password was specified

OAM-2 Invalid login attempts less than the allowed count.

An incorrect Username or Password was specified

OAM-3 Processing submitted credentials fails for some reason. For example: in WNA mode, the SPENGO token is not received.

Internal Error.

OAM-4 An authentication exception is raised for some reason.

System error. Please contact the System Administrator.

OAM-5 The user account gets locked because of certain conditions (exceeded invalid attempts, for instance).

OIM Integration. The Error page appears with contact details after the password is validated.

The user account is locked or disabled.

Please contact the System Administrator.

OAM-5 The user account gets locked because of certain conditions (exceeded invalid attempts, for instance).

OID Without OIM Integration: The Error page appears with contact details after the password is validated.

The user account is locked or disabled.

Please contact the System Administrator.

OAM-5 The user account is disabled. The user account is locked or disabled.

Please contact the System Administrator.

OAM-6 The user has exceeded the maximum number of allowed sessions, which is a configurable attribute.

The user has already reached the maximum allowed number of sessions. Please close one of the existing sessions before trying to login again.

OAM-7 Failure could be due to multiple reasons; the exact reason is not propagated to the user level for security reasons. For instance:

■ The request ID could have been lost

■ The certificate is not retrieved correctly

The default error message is displayed when no other specific messages are propagated up.

System error. Please re-try your action. If you continue to get this error, please contact the Administrator.

Page 32: Readme

32

Table 10 11g Release 1 (11.1.1.3.0) Documentation Issues Resolved

Bug Description

11810433 Resolves an issue in the fix for bug 10358262 in the previous release of these notes, which incorrectly stated the logourUrl and failureUrl parameters (also found within Example 1 Updated OSSORequest.xml):

Correction:

<logoutUrl>logout1.html</logoutUrl> <failureUrl>failure1.html</failureUrl>

11072216

10409363

The Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service, configuring centralized logout Example 11-1 is missing one curly bracket. As a result, the logout page simply displays a blank page and the browser indicates an error on the page.

correction:

--- begin code snippet of end of the logout.html file- . . . } } //redirect the user to this URL window.location.href = SERVER_LOGOUTURL + newQueryString;}</script></head>

This puts the redirect outside the earlier if (origQueryString != null && origQueryString != "") { clause, which allows the redirect to take place whether the query string is null or not.

10205903 The section "Provisioning a 10g WebGate with OAM 11g" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service provides an incorrect version of OAMRequest_short.xml. The <autoCreatePolicy> parameter should appear before the <primaryCookieDomain> parameter.

Correction:

<OAMRegRequest> <serverAddress>http://sample.us.oracle.com:7001</serverAddress> <hostIdentifier>my-10g</hostIdentifier> <agentName>my-10g-agent1</agentName> <autoCreatePolicy>false</autoCreatePolicy> <primaryCookieDomain>.us.example.com</primaryCookieDomain> <logOutUrls> <url>/oamsso/logout.html</url> </logOutUrls></OAMRegRequest>

11808098 In the previous bundle patch notes, Oracle Access Manager Release Notes for Bundle Patch 11.1.1.3.1 Generic, the filename (configmgmt.jar) was stated incorrectly in Step 11.

See Step 11, under Section 6.1, "Preparing the Environment and Downloading the Bundle Patch", for the correction.

Page 33: Readme

33

10312014 In the previous bundle patch notes, Oracle Access Manager Release Notes for Bundle Patch 11.1.1.3.1 Generic, the path name was stated incorrectly in Step 7 directing you to remove class files from the _pages directory.

See Step 7, under Section 6.2, "Installing a Bundle Patch on Any Platform", for the correction.

11653678 The Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management does not mention that, after upgrading from OSSO 10g to OAM 11g the Administrator must explicitly set the Identity Store (migratedUserIdentityStore) as the primary store.

Resetting the primary Identity Store is also required after applying this bundle patch.

Correction:

The Administrator must explicitly set the Identity Store (migratedUserIdentityStore) as the primary store after upgrading from OSSO 10g to OAM 11g. This enables users to log in to and out of integrated Partner Applications (DAS 10g and Oracle E-Business Suite, for instance) as a valid user (defined in your Oracle Internet Directory data store.

Exactly when this task is required depends on when the migration from OSSO 10g to OAM 11g occurs.For instance:

■ Migration Before Bundle Patch 02 Installation: Apply Bundle Patch 02 and then reset the primary Identity Store (migratedUserIdentityStore) before logging in to integrated Partner Applications.

■ Migration After Bundle Patch 02 Installation: Reset the primary Identity Store after migration and before logging in to integrated Partner Applications.

Step 9 in Section 6.2, "Installing a Bundle Patch on Any Platform" is required after applying the bundle patch to an OAM 11g deployment that was migrated from OSSO 10g.

10250303 The Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service, session-management chapter, should mention the following:

When Oracle Access Manager 11g is integrated with Oracle Identity Federation, and you use the Oracle Access Manager Session Management function to clear the session, only the Oracle Access Manager session is cleared (not the Oracle Identity Federation session).

10319761 The Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service, should mention that:

The number of characters a user can use in a URL is based on different browser versions. Ensure that your applications do not use URLs that exceed the length that Oracle Access Manager and the browser can handle.

10374189 Both the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service and the Oracle Fusion Middleware High Availability Guide should mention the following:

In load-balanced environments, if the Host element in the server registration does not specify the DNS name of one of the physical servers (not that of the fronting load balancer), then standard login might work in a somewhat random manner.

9005892 The following topic will be removed from the Troubleshooting chapter because it is not relevant: "Unable to Cancel Some Operations".

Table 10 (Cont.) 11g Release 1 (11.1.1.3.0) Documentation Issues Resolved

Bug Description

Page 34: Readme

34

10027991 The following details will be added to the chapter on Session Management in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service:

Oracle Access Manager 11g uses Tangosol Coherence to replicate session states within a distributed installation. Coherence is used to communicate state changes between the OAM Administration Console and OAM Servers. Coherence relies on User Datagram Protocol (UDP) for cluster discovery and heartbeat. If a firewall exists between certain components of OAM 11g, then the corresponding UDP ports used by Coherence must be open. Otherwise, OAM 11g might not work correctly. For more information, see "Using Coherence" in the Troubleshooting appendix.

10036037 Information on conflict resolution during a transition from test (source) to a production (target) environment will be removed. Policy conflicts are resolved automatically.

10036252 In scenarios environments OHS and load balancers, additional settings are needed to propagate the actual client IP address to application. These will be added to the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management, as follows:

After mod_weblogic is configured, the remote IP address received at the server side is that of OHS and not that of client (browser). To resolve the issue, configuration changes are required at that can be set using the WebLogic Administration Console. When OAM Servers are front-ended by OHS, perform the following to propagate the client (browser) IP address to OAM Server and AdminServer.

Note: For an OAM Server, click Servers and the OAM Server name (or AdminServer for audit logs to capture a proper client IP address). If you have an OAM Server Cluster, click Clusters and the OAM Server Cluster.

1. Log in to the WebLogic Administration Console.

2. Go to Environment, click Servers and click the OAM Server.

3. Select the Configuration main tab and General sub tab.

4. Expand 'Advanced'.

5. Check the box for WebLogic Plug-In Enabled configuration.

6. Save changes and restart servers.

Load Balancer Notes: If you have a load balancer front-ending the OAM Server, the client IP address is used by OAM Server for audit and session information. The Load Balancer must insert the original client IP address of a request in an X-Forwarded-For HTTP header or a similar feature to preserve the Client IP Address. The virtual host must be configured to preserve the client IP address for a request. However, the exact steps to configure a load.

10043664 The following correction will be included in the chapter "Securing Communication with OAM 11g" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service to add a missing argument (-config openssl_silent_ohs11g.cnf) to the following procedure.

To retrieve the private key and certificates for OAM 11g Server

1. Generate both the certificate request (aaa_req.pem) and the Private Key (aaa_key.pem):

–OpenSSL req –new –keyout aaa_key.pem –out aaa_req.pem –utf8 -nodes -config openssl_silent_ohs11g.cnf

Table 10 (Cont.) 11g Release 1 (11.1.1.3.0) Documentation Issues Resolved

Bug Description

Page 35: Readme

35

10043668 The following correction will be included in the chapter "Securing Communication with OAM 11g" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service to correct Steps 1 and 2 (and the syntax of -trustcacerts in Step 3)

To import certificates into the keystore

1. Locate the keytool for OAM 11g in the following path:

MW_HOME/jdk160_18/bin/keytool

2. Unzip importcert.zip and locate the Readme file in the following location:

ORACLE_IDM/oam/server/tools/importcert

3. Import the trusted certificate chain using the following command and details for your environment. For example:

keytool -importcert -file aaa_chain.pem -trustcacerts -storepass <password>-keystore <MW_HOME>\user_projects\domains\domain_name\config\ fmwconfig\ .oamkeystore -storetype JCEKS

10043673 The following correction will be included in the chapter "Securing Communication with OAM 11g" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service to specify the proper command syntax in Step 5c:

To import certificates into the keystore

5c. Import signed PEM format certificates using the following command line arguments and details for your environment:

- java -cp importcert.jar:$CLASSPATHoracle.security.am.common.tools.importcerts.CertificateImport -keystore <> -keystorepassword <> -privatekeyfile <> -signedcertfile <> -alias [-aliaspassword <>]

10043737 The following correction will be included in the chapter "Securing Communication with OAM 11g" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service to specify the proper location of files in Step 7:

To update the communication mode in the Webgate Agent registration

7. Copy the following files (created during "Generating a Private Key, Certificate Request, Installing Certificates for OAM Server") as follows:

■ From:

aaa_key.pem: Webgate11g_home/Webgate/ohs/tools/openssl aaa_cert.pem: Saved location after receiving from CA aaa_chain.pem: Saved location after receiving from CA

■ To: OHS_INSTANCE_HOME/config/OHS/ohs2/Webgate/config

10046441 A new topic will be included in "Troubleshooting" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service, as follows:

Concurrent configuration updates are not supported. Administrators performing updates concurrently will result in an inconsistent state within the system configuration of the OAM Administration Console.

Only one administrator should be allowed to modify the system configuration at any given time.

Table 10 (Cont.) 11g Release 1 (11.1.1.3.0) Documentation Issues Resolved

Bug Description

Page 36: Readme

36

10 Components Included with this Bundle PatchThe certification release level included in this bundle patch=None. This bundle patch is released against initial full-installer Webgate packages.

Compatible OAM Servers: 11.1.1.3.0

10049963 The following additional detail will be included in the chapter "Securing Communication with OAM 11g" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service to ensure the reserved key and cert file names are not changed:

About Cert Mode Encryption and Files

■ aaa_key.pem (reserved name for Webgate key file, which cannot be changed)

■ aaa_cert.pem (reserved name for Webgate certificate file, which cannot be changed)

■ aaa_chain.pem (reserved name for CA Cert for Webgate side)

10051423

10023625

The Oracle Fusion Middleware High Availability Guide will be updated to remove details about changing the request cache type, because the Request Cookie is now enabled by default. If your environment is cookie-intolerant or you need to improve performance during the authentication flow, you can regain a small percentage of the performance as follows: You must have a load balancer configuration and the same OAM Server must be used during the entire authentication flow. In this case, you can disable the request cookie to regain some performance.

10059867 The Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service will be updated to include details of the Database Persistence of Active Sessions Enabled parameter on Sessions tab under OAM Server Common Settings. See Also Table 7.

Note: When enabled, the Database Persistence of Active Sessions parameter persists active sessions to the configured database session store, in addition to the local and distributed caches. Sessions are retained even if all OAM Servers die off. If this is overkill for your environment, or you want to perform deployment sizing to take into account the database, you can clear the checkbox and restart all OAM Servers to disable this function.

10063999 The following will be added to the "Getting Started with OAM Administration and Navigation" chapter of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service:

Warning: Starting the AdminServer the first time can take an unusually long time: 12-15 minutes, for example. This process must not be interrupted or terminated. If the startWebLogic.cmd is stopped for any reason (whether accidently or a system crash or a reboot), policy data might be corrupted. This would require removal and recreation of the domain and rerunning of the RCU to create the OAM schema.

See Also: Oracle Access Manager Release Notes for Webgate 11g (11.1.1.3) Linux, Solaris, Windows, HP-Itanium, AIX, and HP PA-RISC Operating Systems for details about Webgates delivered with Oracle Access Manager Bundle Patch 11.1.1.3.3

Table 10 (Cont.) 11g Release 1 (11.1.1.3.0) Documentation Issues Resolved

Bug Description

Page 37: Readme

37

Oracle Access Manager, Release Notes, Bundle Patch 11.1.1.3.3 Generic

Copyright © 2000, 2011 Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

Note: To remain in an Oracle-supported state, Oracle recommends that you apply the bundle patch to all installed components for which packages are provided.

Page 38: Readme

38