Forum Stats

  • 3,824,997 Users
  • 2,260,452 Discussions
  • 7,896,379 Comments

Discussions

Oracle Access Manager

User_MZAB9
User_MZAB9 Member Posts: 6 Green Ribbon

Hi,

my client is still on the OAM version 10.1.4.3.0 and it is all working fine till couple of days before.

However suddenly the search/view of customer profiles throws "Win32 exception caught in Modulemain" error pops up in the browser.

Could any one please provide suggestion.

Thanks,

SG

Best Answer

Answers

  • User_2JNLU
    User_2JNLU Member Posts: 4 Green Ribbon

    If you change the clock on the Windows server back prior to 16th March, 2022 (say 1st March) it should work again (remember to disable the NTP service).

    We have the same issue. It's not a long term solution (well, 16 days to be precise!). We have raised an SR and hope for a fix. I think the issue is in Oracle Identity Manager (OIM) which is version 9.1 in our case (our OAM is 10.1.4.3 same as yours).

    So, if you raise an SR, hopefully Oracle will put some effort into a fix (rather than an upgrade which in our case is unpleasant, especially as we only need IDAM for a few more months!).

  • User_MZAB9
    User_MZAB9 Member Posts: 6 Green Ribbon

    Hey,

    After changing the date to 15th March, it works like a charm.


    Thanks

  • User_2JNLU
    User_2JNLU Member Posts: 4 Green Ribbon

    The Identity Console sets the ObPERM cookie with an expiry of 500,000,000 seconds in the future (about 16 years). This is beyond 19/1/38 (2^31-1 seconds since epoch) and so fails.

    If you want to know exactly when this all went wrong, it must have been Thursday, 17 March 2022 at 02:20:48.

    Options I can think of are:

    1. Add the Linux32 Identity Server to the deployment and then use Linux32 Identity Server console for all activities that are broken on the Windows Identity Server console.
    2. Use the Azure Proxy Connector: Header-based authentication with Azure Active Directory | Microsoft Docs (not Oracle's suggestion!).
    3. Something horribly hacky (set system clock in the past, etc).

    Anyone with any other ideas?

    User_MZAB9
  • User_MZAB9
    User_MZAB9 Member Posts: 6 Green Ribbon

    So it is the problem with ObPERM cookie.

    I want to understand why the ObPERM cookie expires date will create problem only after march 17th, 2022 and not before that?

    Also how you calculated/guessed the problem would have started after 17th March 2022.

    May be understanding that scenario will give some clue to fix this.

    Can you help?

  • User_2JNLU
    User_2JNLU Member Posts: 4 Green Ribbon

    Note that I don't work for Oracle and so I'm just using logic, digging and guesswork.

    The identity server seems to want to write the ObPERM cookie with customisation details. You should find on your working server that the time difference between the server and the date written on the cookie is 500,000,000 seconds which is about 16 years. It must take the current system date as seconds since epoch (ie: seconds since 1/1/1970) and add 500,000,000. It then calls gmtime_r with that number, which is bigger than 2^31-1 (32-bit signed) and so crashes. I calculated the dates using www.epochconverter.com rather than manually convert seconds to dates.

    Unfortunately it seems to cause collateral failure of (eg) password change until the service is restarted. We are in a position to be able to withdraw calls to Identity Server, whilst continuing with password management, login, etc which all works (when Identity Server isn't crashing).

    Other options would be to move the affected components to Linux, wait for an Oracle fix (although the software is out of support) or some hacky solutions (not recommended) like replace gmtime_r (Google that one) or various options around decompiling code or leave the clock behind in time (be aware how non-pain free that is).

    The software is only in Sustaining support from Oracle - your client will have plans for its replacement - accelerating those may be good.

    The only realistic options IMHO are: Use Linux (even if just for that one component), stop using it (still okay for login, change password, etc) or raise an SR and wait for Oracle.

    I always think it's worth raising an SR either way.

  • User_2JNLU
    User_2JNLU Member Posts: 4 Green Ribbon
    Answer ✓

    Well, I never expected that for software that went into Sustaining support in December 2013! A patch! Well done Oracle!!

    Log in to My Oracle Support and download Patch 33983548 (WIN32 EXCEPTION CAUGHT IN MODULEMAIN ERROR NOTICED WITH OIS SERVER UI TO SEARCH).

    There are two bundle patches to install first (if you haven't already). See the readme here: https://updates.oracle.com/Orion/Services/download?type=readme&aru=24717007

    The actual patch is very simple (as expected).

  • User_MZAB9
    User_MZAB9 Member Posts: 6 Green Ribbon

    How difficult it will be to apply the pre-requisite patches to the 10.1.4.3 OAM server.

    I have never done the patching though. Any steps would be of great help

    Thanks,

  • User_2JNLU
    User_2JNLU Member Posts: 4 Green Ribbon

    It's just taken our DBA 5 hours to do the pair of Dev servers. Take it carefully with snapshots/backups in place. It will take a while to test it all works okay, but initial tests are good. Prod and Test servers will be harder as they're physical (though now it's practised on Dev, that should help).

    The instructions on My Oracle Support are good - Bundle patch 13 (13718105) is the most involved. The Point-In-Time (PIT) Snapshot Patch 28 (23762129) is copying files, stopping services, running a script. The actual patch you're after (33983548) is just a new copy of ois_server.exe that you put in the correct place! Follow the readme carefully.

    Do check if those prerequisite patches are already installed - you may be lucky.

    Raise an SR at https://support.oracle.com/ - they will guide you.

    All the best.