FAQTroubleshooting 23-9

23.3 OAAM UIO Proxy

UIO ISA Proxy To troubleshoot the OAAM UIO Proxy Web publishing issues: ■ Ensure that the .NET2.0 framework is installed and enabled to successfully register the Bharosa Proxy DLL. ■ Ensure the database access credentials are correct when the firewall logging properties in Microsoft ISA use the SQL Database as the log storage format. ■ IP exceptions are defined for trusted IPs like Router IP when flood mitigation settings are enabled to mitigate flood attacks and worm propagation. ■ Ensure that the default inbound and outbound rules allow HTTPHTTPS traffic to be forwarded tofrom OAAM Server. ■ Check the order precedence of the rules to ensure that the default rule, deny, is not at a higher order; otherwise, it blocks all rules. If the rule is last in precedence, all rules are executed. ■ In the OAAM Server rule you must ensure that: – The external IPname is mapped to the internal IPname OAAM CLI Script Issues ■ Make sure the JAVA_HOME environment variable is set to the JDK certified for the Identity Management Suite for 11g ■ Make sure CLI related properties are set in the oaam_cli.properties file. SOAP Call Issues ■ Known issues exist with time-outs in SOAPGenericImpl ■ OWSM is enabled by default, so you need to set OWSM policy before using SOAP ■ Make sure the SOAP server URL including the port number is valid Native Integration Issues ■ Make sure the appropriate version of the OAAM Extensions Shared Library is used the WAR should use the war version and EAR should use the ear version ■ Make sure the OAAM data source is created and the JNDI name is correct it should match the JNDI name of the OAAM Server ■ Make sure the native application is using the same keys that are used by the OAAM Admin and OAAM server ■ Issues with the encryption keys – Make sure all the managed servers are on the same WebLogic domain or copy the keys across the domains – If using non-11g servers, use the Java keystores ■ Shared library usage by many applications on the same server Currently the OAAM Extensions Shared Library cannot be used by more than one application on the same managed server Table 23–3 Cont. Problems and Tips Problem Checks You Can Perform 23-10 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager – The external port is mapped to the internal port where OAAM Server is listening – The OAAM Server path is published To troubleshoot problems experienced while configuring the UIO Proxy, enable tracing to a file and set the trace level to 0x8008f. Doing so wil print detailed interceptor evaluation and execution information to the log file. UIO Apache Proxy Tips to troubleshoot problems with the UIO Apache Proxy are listed in this section. ■ On launching httpd, an error for loading mod_uio.so occurs. Ensure that mod_ uio.so and all the libraries are placed in the proper directories. On Linux, use the ldd command to confirm that mod_uio.so can load all the dynamic libraries that it depends upon. On Windows, use Dependency Walker to find out any missing DLLs and in some cases, you may have to install the Microsoft Visual C++ 2005 Redistributable Package from the Microsoft Web site, if your server does not have these libraries pre-installed. ■ If nothing is working- no logs and so on, ensure that the user of httpd has permissions to read the uio directory. Typically httpd is run as a daemon user. Ensure the daemon user has write permissions for the logs directory. ■ In case of a parsing error in UIO_Settings.xml or any configuration XML, an error log will be created in httpds logs directory with the name UIO_ Settings.xml.log. ■ For errors, look in uio.log. Use log level of error for production use; info for more details; debug for debugging issues and trace for verbose logs. ■ Ensure that the config XML and settings XML are conforming to the RNG schema. You can use the UIO_Settings.rng and UIO_Config.rng in any XML editor to edit the UIO_Settings.xml and application configuration XML files. ■ You can change the Apache httpd log level to debug for testing, or keep it at info to reduce log file size. The Apache httpd log is separate from UIO Apache Proxy log. ■ When migrating ISA configuration XML to be used with the UIO Apache Proxy, you need to do the following: 1. Change the header of the XML file to use ?xml version=1.0 encoding=utf-8? BharosaProxyConfig xmlns=http:bharosa.com 2. Run your config XML file through libxml2s xmllint utility. For Windows, download the latest libxml2-2.x.x.win32.zip file from http:www.zlatkovic.comlibxml.en.html and unzip it. For Linux, if you have libxml2 installed then xmllint command should be available, or check with your Linux System Administrator. Copy the UIO_Config.rng file from the UIO Apache Proxy distribution and run following command: xmllint --noout --relaxng UIO_Config.rng your config xml file And fix any errors that are reported.