General Issues and Workarounds

This section describes the following issues and workarounds:

Multi-Byte Characters Display Incorrectly in Filenames When Using Safari

Issue

Impacted Platforms: All

When using the Safari browser to download content, if a filename contains multi-byte characters, the characters are displayed as '------' in the filename.

Workaround

Set UseHeaderEncoding to true on the Managed Server. Use the following WLST commands to do so:

connect("admin_name", "admin_password", "t3://localhost:port")
edit()
startEdit()
cd("Servers/server_name/WebServer/server_name")
set("UseHeaderEncoding", "true")
save()
activate()
exit()

Strong Password Enforcement May Cause Issues With WLST Offline Scripts

Issue

Impacted Platforms: All

With the implementation of strong password enforcement (8 character minimum with one numeric or special character) in this release of WebLogic Server, existing scripts could potentially encounter issues.

Workaround

Use either of the following workarounds to bypass the new password restrictions.

Set the BACKWARD_COMPAT_PW_CHECK environment variable to true .

Include the -Dbackward.compat.pw.check=true option when invoking WLST.

Oracle recommends that you change passwords to comply with the new password requirements, as this variable and option will be removed in a future release of WebLogic Server.

In Turkish Locale, MDS Initialization Fails

Issue

Impacted Platforms: All

Any applications that use an MDS repository cannot be deployed or run with the JAXB version bundled with WebLogic Server as null values are returned for attributes named id

Workaround

Start the server in English locale.

Administration Server Reports a 'Too Many Open Files' Message on the EM Console

Execute the following command to determine the maximum number of file descriptors currently configured:

cat /proc/sys/fs/file-max

If the value is less than 65535, perform the following steps:

Workaround

Use one of the following workarounds:

Partition Listener May Not Receive MBean Unregistration Notification

Issue

Impacted Platforms: N/A

In some cases, a partition listener may not receive notifications when an MBean is unregistered from an MBean server, even though the partition is enabled to receive notifications. This is due to some limitation in the current implementation of WebLogic Server 12.2.1.

Workaround

Currently there is no known workaround for this issue.

WL MT Partition Scoped Configuration Changes Are Ignored

Issue

Impacted Platforms: N/A

Changes to an existing RG and RGT scoped non-module configurations may be ignored even after a partition restart. Changes to resource group overrides may also be ignored. However, changes to module-scoped configurations such as data source tuning, JMS destinations, and connection factories are unaffected by this issue.

The changes appear to be correct if queried via WLST but old values continue to be consumed within the server instance.

Workaround

Restart the server for the new values to take effect.

Issue

Impacted Platforms: N/A

This issue occurs when there are two resource group templates containing resources of the same type and sharing the same name.

When a resource group is initially targeted to one resource group template, and is then targeted to the second resource group template, and changes are then made to the resource with the shared name in the second resource group template, those changes may not be reflected. The resource group might continue to use the value from the resource in the first resource group template.

Workaround

To bypass this issue, use either of the following workarounds:

No Support for Explicit Port and Port Offset for Global Virtual Targets

Issue

Impacted Platforms: N/A

WebLogic Server provides support for setting the Explicit port and port offset for virtual targets. However, currently the setting for Explicit port and port offset can take effect only for virtual targets that are assigned to a partition. For Global Virtual Targets (the virtual targets that are not assigned to any partition), the settings for Explicit port and port offset do not take effect.

Workaround

Limitation of Using the JMX Thin Client

Issue

Impacted Platforms: N/A

Due to recent changes in JDK, WebLogic Server no longer supports JMX with just the wlclient.jar file. To use JMX, you must use either the WebLogic full client, (weblogic.jar) , or the wljmxclient.jar file.

High Number of Application Threads May Cause a Server to Stall

Dependency Injection Issues and Workarounds

This section describes the following issues and workarounds:

BeanManager Does Not Contain a ValidatorFactory Bean in Lifecycle Events

Issue

Impacted Platforms: N/A

If a CDI extension is observing the lifecycle events AfterBeanDiscovery or AfterDeploymentValidation, an attempt to get a javax.validation.ValidatoryFactory bean instance will fail. For example:

public class MyExtension implements Extension {
     void checkValidatorFactoryBean(@Observes AfterBeanDiscovery abd, BeanManager bm) {
          Set<Bean<?>> validatorFactoryBeans
          = bm.getBeans(ValidatorFactory.class,
          new AnnotationLiteral<Default>() {});
     if (validatorFactoryBeans.isEmpty()) {
          throw new RuntimeException("Container provided BeanManager doesn't contain a bean of javax.validation.ValidationFactory");

The example code above will cause a RuntimeException because the BeanManager cannot get a ValidatorFactory bean instance. This occurs because the ValidatorFactory and Validator bean types were removed from the built-in beans starting in CDI 1.1. In CDI 1.1 and later, ValidatorFactory and Validator beans are defined by the following extension: org.hibernate.validator.internal.cdi.ValidationExtension .

Note that when called during invocation of an AfterBeanDiscovery event observer, this method will only return beans discovered by the container before the AfterBeanDiscovery event is fired.

Workaround

CDI Enabled EAR with Non-CDI Enabled WAR Does Not Work Correctly

Issue

Impacted Platforms : N/A

If an application contains both a CDI enabled EJB module and a non-CDI enabled web module, events defined with the following qualifier are not sent:

@Initialized(ApplicationScoped.class) and @Destroyed(ApplicationScoped.class)

Deployment Issues and Workarounds

This section describes the following issues and workarounds:

security-permission Element is not Available in weblogic-application.xml

Issue

Impacted Platforms: All

The security-permission element is available in the weblogic.xml and weblogic-ejb-jar.xml deployment descriptors, but is not available in the weblogic-application.xml descriptor. Therefore, in an Enterprise application, you can only apply security policies to JAR files that are EJBs or Web applications.

Issue

Impacted Platforms: All

The weblogic.Deployer tool interprets any extraneous string values between command-line arguments as a file specification. For example, if you enter the command:

java weblogic.Deployer -activate -nostage true -name myname -source c:\myapp\mymodule

the tool attempts to activate a file specification named true, because the -nostage option takes no arguments and true is an extraneous string value.

Issue

Impacted Platforms: All

The restore method does not correctly update the DConfig Bean with the plan overrides. For example, given the following steps:

  DeployableObject dObject =
     WebLogicDeployableObject.createDeployableObject(new File(appName));
  DeploymentConfiguration dConfig =
     WebLogicDeploymentManager.createConfiguration(dObject);
  dConfig.restore(new FileInputStream(new File(plan)));

the plan does not correctly override the DConfig Bean.

Workaround

Specify the plan when initializing the configuration for the application. For example:

    helper = SessionHelper.getInstance(
        SessionHelper.getDisconnectedDeploymentManager());
    helper.setApplication(app);
    helper.setPlan(new File(plan));
    helper.initializeConfiguration();

Deployment Task Fails When a Large Application File Is Deployed

Issue

Impacted Platforms: All

When a large application file is deployed using the upload option, the deployment task fails with the following error:

java.lang.OutOfMemoryError: Java heap space

To resolve this issue, a new system property, weblogic.deploy.UploadLargeFile , has been added. If you see this issue, include this flag in the java command you use to launch a deployment client.

If you are using the WebLogic Server patch releases 9.2 MP2, 9.2 MP3,10.0 MP1, 10.0 M2, 10.3, 10.3.1, 10.3.2, or 10.3.3, this flag is not needed.

Workaround

Attempting to Redeploy an Application Fails if the Application is Already Deployed Using a Different Source File Location

Issue

Impacted Platforms: Linux

If you initially deployed an application using one source file location, then attempt to redeploy the application using a new location for the source file, the deployment fails with the following exception:

New source location <new_source_file_path> cannot be configured deployed to 
configured application, <application_name>. The application source is at 
original_source_file_path. Changing the source location is not allowed for a 
previously attempted deployment. Try deploying without specifying the source.

This is due to a WebLogic Server deployment restriction. Once you specify the source file for a deployment, you cannot change it on a redeployment.

Workaround

Undeploy the application before attempting to redeploy it using a new source file location.

Relevant Output Message Not Displayed

Issue

Impacted Platforms: All

If you create an application and deploy it to a target, and then try to deploy that same application to that same target, no relevant output message is displayed to inform you that your application is already deployed to that particular target. This occurs because when the application is deployed the second time it is considered to be the equivalent of a redeploy.

Workaround

Application Names Must Be Unique Within a Domain

Issue

Impacted Platforms: All

As of WebLogic Server 12.2.1, when deploying an application to a domain with a specified application name, if that application name is already in use in the current domain, the application deployment fails.

This is a behavior change from previous WebLogic Server versions, when specifying the same application name caused WebLogic Server to automatically derive a unique name based on the specified name.

Workaround

To avoid application deployment failure, specify unique names for all applications in a domain.

Developer Experience Issues and Workarounds

This section describes the following issue and workaround:

Users Need to Set BEA_HOME System Property While Using Appc For Pub-Sub Modules

Issue

Impacted Platforms: All

An error occurs when using the appc Maven plug-in after installing WebLogic Server Maven artifacts to the local repository using the Maven synchronization plug-in.

Workaround

WebLogic Server pub-sub libraries rely on the BEA_HOME system property to resolve compiler issues. Set the BEA_HOME system property while running appc on pub-sub applications for compilation to resolve these dependencies.

Using JBoss 5 as a Foreign Provider for a JMS Messaging Bridge Causes Issues

Issue

Impacted Platforms: All

Workaround

Oracle recommends that you upgrade to JBoss 7 to avoid this issue.

JNDI Issues and Workarounds

There are no known JNDI issues in this release of WebLogic Server.

JTA Issues and Workarounds

This section describes the following issue and its workaround:

Transaction Protocol Changes May Cause Inconsistent Transaction Outcomes

Issue

Impacted Platforms: All

When the transaction protocol for a data source is changed, it is necessary to restart all targeted servers in order to avoid inconsistent transaction outcomes.

Workaround

Issue

Impacted Platforms: All

<Warning> <JTA> <BEA-111020> <An issue occurred during cross-site recovery processing: PeerSiteRecoveryLeaseMaintenance: Unable to create either connection or prepared statements for cross-site recovery..>

Workaround

You can work around this issue by using domain logging filter.

Java Virtual Machine (JVM) Issues and Workarounds

This section describes the following issues and workarounds:

1.4 Thin Client Applet Cannot Contact WebLogic Server

Issue

Impacted Platforms: All

Due to a known Sun Microsystems VM bug (513552), a 1.4 Thin Client Applet cannot contact WebLogic Server 9.0 or later. This is because the VM does not distinguish correctly between a client and a server connection. The VM creates a server-type connection and caches it. It then attempts to make a client-type connection, finds the cached connection and tries to use that, but then encounters an error because clients are not allowed to use server connections.

Workaround

Applications Running on Some Processors May Experience Intermittent Time Issues

Issue

Impacted Platforms: RedHat Linux

Applications that run on RedHat (RH) Linux and that also directly or indirectly use system time calls may experience intermittent time issues if the ClockSource is set to tsc (the default). The standard POSIX C gettimeofday() call, and consequently also the Java System.currentTimeMillis() and java.util.Date() calls can intermittently return a value that is approximately 4400 seconds in the future, even in a single-threaded application.

This issue is not unique to WebLogic or Java, but applies to any application running on RH Linux. Issues can occur for applications that either explicitly make a time call using standard Java, or explicitly by using any time-based application server services.

Possible symptoms include, but are not limited to, premature transaction timeouts, unexpected expiration of JMS messages, and incorrectly scheduled timers.

This issue was fixed in RedHat 5.3.

Workaround

JRockit JVM Appears to Freeze When Doing Long Array Copies

Issue

Impacted Platforms: Linux

The JRockit JVM appears to freeze when doing long array copies as part of unlimited forward rolling. This can happen when multiple server reboots occur due to Out Of Memory conditions.

When booting the servers, include the following JRockit JVM flag:

 -XXrollforwardretrylimit:-1

Serial Version UID Mismatch

Issue

Impacted Platforms: Linux

A Serial Version UID Mismatch issue is encountered if you deploy an application on a latest JVM, but compiled with previous Service Release of IBM Java 6 JDK.

Workaround

To be compatible with the serialization of previously compiled applications, modify the WL_HOME /common/bin/commEnv.sh file to include the following command:

JAVA_OPTIONS="$JAVA_OPTIONS 
-Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"

Alternatively, you can use the command line option:

export IBM_JAVA_OPTIONS=
"-Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"

If you intend to deploy new applications with previously compiled applications, they must be recompiled as necessary to have the same Serial Version UID.

JVM Stack Overflow

Issue

Impacted Platforms: Linux

You might encounter a JVM stack overflow error or exception while running WebLogic Server. This issue applies to Oracle Enterprise Linux 4, 5, 5.1 on AMD64 and 64-bit Xeon platforms.

Workaround

Increase the stack size from the default 128k to 256k.

Using AWT libraries May Cause a JVM Crash

Issue

Impacted Platforms: Linux x86

You might encounter a JVM crash when using GUI libraries such as AWT or javax.swing (which often delegates to AWT).

Workaround

Start the server using the following flag:

-Djava.awt.headless=true

Life Cycle Management Issues and Workarounds

This section describes the following issues and workarounds:

Lifecycle Config Plugin Path May Not be Updated After Unpacking Domain

Issue

Impacted Platforms: All

When packing a domain that has been configured to use Lifecycle Manager in one environment using the pack command, and unpacking it in another environment, the plugin paths contained in the <Domain>/config/lifecycle-config.xml file may still reference the Oracle Home directory paths from the source environment.

Issue

Impacted Platforms: All

In an integrated environment involving Weblogic Server, Oracle Traffic Director (OTD), and Lifecycle Manager, if the out of band functionality of Lifecycle Manager is enabled then the expectation is that any change in resource groups including targeted changes to domain partitions will be sent to OTD using Lifecycle Manager. However, as of 12.2.1, this behavior has changed; the updates to resource groups, including adding or deleting a resource group, are not being sent to OTD.

Workaround

You must restart the domain partition after targeting configuration changes. This ensures that OTD is updated with the latest configuration changes in resource groups.

Monitoring Issues and Workarounds

This section describes the following issue and workaround:

MBean Attributes Not Explicitly Marked as @unharvestable Appear as Harvestable

Issue

Impacted Platforms: All

The @unharvestable tag is not being honored at the interface level. If MBean attributes are not explicitly marked as @unharvestable , they are considered to be harvestable and will appear as harvestable in the WebLogic Server Administration Console.

Issue

Impacted Platforms: All

When specifying a wildcard pattern in a variable for a watch rule expression that matches custom MBean ObjectName patterns, ensure that the pattern is sufficiently explicit. If you exclude an MBean type name and use an ambiguous instance pattern, the following may result:

Only WebLogic Server runtime MBean instances are matched to the pattern.

The desired custom MBean instances are ignored.

For example, the following ObjectName pattern does not explicitly declare a type and uses an ambiguous ObjectName pattern that can match a WebLogic Server runtime MBean instance:

${ServerRuntime//com.b*:Type=Server*,*}

Workaround

To avoid confusion, use a sufficiently explicit ObjectName pattern, or declare the MBean type in the variable expression.

Behavior Change in CreateSystemResourceControl

Issue

Impacted Platforms: All

This issue is related to a change in how WLDF uses the module name for harvester records and watch rule notifications. The internal descriptor name is now overridden to use the name that is provided when the external WLDF descriptor is registered through the Runtime Control API or WLST functions. You will notice this if you have been using the Runtime Control feature to deploy external WLDF system resources to gather Harvester metrics, or listen for a Watch rule notification based on the deployed module.

For example, if the Harvester and Watch elements in your deployed descriptor resemble the following:

<harvester>
   <name>MyExternalResource</name>
<watch-notification>
   <name>MyExternalResource></name>

and you register this descriptor with the runtime control as createSystemControl("resource1", ...) , previously harvester data would have been recorded using MyExternalResource as the WLDFMODULE column value for Harvester records in the archive for this resource. It would also be used for the module name in the Watch Notification payloads. Now, resource1 would be used for the WLDFMODULE name in the harvester records and watch and notification payloads.

Use the name the external WLDF resource was registered with when using the WLST command createSystemResourceControl() . Additionally, any notification listeners for Watch notifications from an external resource that are dependent on the WLDF module name in the notification payload should be looking for the name the control was registered with.

For example, if you register your control as createSystemResourceControl("resource1", ...) then the WLDF Accessor queries for this resource should include the module name as WLDFMODULE='resource1' in the query string.

Errors May Occur Writing to WLDF Archive During EBR Upgrade of WLDF Schema Using Oracle Upgrade Assistant

Issue

Impacted Platforms: All

If you configured the WLDF archive for servers in a domain to use an Oracle EBR editioned schema, and attempt to upgrade that schema using Upgrade Assistant, it is possible that some errors may occur in servers that are still running against that schema when the upgrade is performed.

This is relevant in the following conditions:

WLDF schemas installed to an Oracle EBR database using the 12.1.2 Repository Creation Utility (RCU) or manually created WLDF schemas from an earlier version of WebLogic Server

When using the Upgrade Assistant, the user chooses to upgrade the existing schema to use Oracle EBR editioned tables

There are servers running while the upgrade is performed (for example, if the schema is shared across multiple WebLogic Server domains)

During the upgrade, the WLDF tables are renamed and edition-based views are created to point to the renamed instances. No data is lost in this operation. However, in these situations, there may be a brief period where some errors can occur (during the time while the upgrade is performed) in the running servers when recording WLDF Harvester or Instrumentation data.

These errors are not critical and should not affect server performance, but may result in a lost of a small amount of monitoring data for those servers.

Workaround

To avoid the potential of this occurrence, you can halt the affected WebLogic Server domain(s) during the Oracle Database upgrade process.

Node Manager Issues and Workarounds

This section describes the following Node Manager issue and workaround:

Removing Primary Interface Causes Error During Server Migration

Issue

Impacted Platforms: Linux

On some specific Linux platforms and versions, there is an issue removing a virtual interface/alias dynamically. Removing the virtual interface that is the primary address of the interface may result in other secondary virtual IP addresses being removed at the same time. This may lead to random exceptions occurring with Node Manager during server migration. If you have this issue, you may occasionally find exceptions in the Node Manager log file when shutting down a server after migration. For example, you may receive the following error:

java.io.IOException: Command '/<PATH to DOMAIN>/bin/server_migration/wlsifconfig.sh -removeif -IPv4 eth0 X.X.X.X returned an unsuccessful exit code '1' .

Here is an example of the issue:

First, add three virtual interfaces, with the first one being the primary:

$ sudo /sbin/ifconfig eth0:4 X.X.X.178 netmask 255.255.248.0
$ sudo /sbin/ifconfig eth0:5 X.X.X.179 netmask 255.255.248.0
$ sudo /sbin/ifconfig eth0:6 X.X.X.180 netmask 255.255.248.0
$ sudo /sbin/ifconfig eth0:4 down

When removing the primary (first one in list), the other two will be automatically removed at the same time.

Workaround

To fix this issue temporarily, use the following command to enable the promote_secondaries flag on your network interface. Replace eth0 with your actual interface name:

$ sudo /sbin/sysctl net.ipv4.conf.eth0.promote_secondaries=1

You can also use the following command to update the default setting for all interfaces:

$ sudo /sbin/sysctl net.ipv4.conf.all.promote_secondaries=1

If this is enabled and the primary address of an interface gets deleted, a secondary interface will be upgraded to become the primary interface. The default is to purge all the secondary interfaces when you delete the primary interface.

To permanently remedy this issue after server reboot, update the sysctl.conf file. For example:

$ echo "net.ipv4.conf.eth0.promote_secondaries=1" >> /etc/sysctl.conf
               

Node Manager Not Putting Up -D64 When Starting Server Using Java Command

Issue

Impacted Platforms: HPUX IA64

There is a fundamental difference between Node Manager starting a server using a start script and Node Manager starting a server using the Java command. When using the start script, the -d64 flag is added based on some script language that detects the platform. Node Manager does not add this flag when starting a server with the Java command.

Workaround

When starting a server using Node Manager through the Java command, specify arguments such as -d64 in the ServerStart arguments field.

Issue

Impacted Platforms: All

In rare cases, Oracle HTTP Server (OHS) instances that are managed by WebLogic Server may start in state UNKNOWN . This can occur if the Administration Server is unable to initialize the state of the OHS instance, for example, if Node Manager is not running at the time the OHS instance is created and if you connect directly to Node Manager and bypass the Administration Server when checking the state for the first time.

Issue

Impacted Platforms: MS Windows

The OPSS template information that is necessary to start Node Manager using installNodeMgrSvc.cmd is missing. As a result, installNodeMgrSvc.cmd cannot be used correctly in a JRF/OPSS environment. Node Manager will start without the information used to specify the correct classes to load KSS and will use JKS as the default keystore. You will notice this problem when you are setting up your environment and first run startNodeManager.cmd , which will load KSS.

Edit the installNodeMgrSvc.cmd command before using it, copying the section from startNodeManager.cmd . For example:

set JAVA_OPTIONS=%JAVA_OPTIONS%
-Doracle.security.jps.config=C:\OracleHome11g\user_projects\domains\mydomain\config\fmwconfig\jps-config-jse.xml
-Dcommon.components.home=C:\OracleHome1213\Oracle_Home\oracle_common -Dopss.version=12.1.3
if NOT "%POST_CLASSPATH%"=="" (set POST_CLASSPATH=C:\OracleHome1213\Oracle_Home\oracle_common\modules\oracle.jps_12.1.3\jps-manifest.jar;%POST_CLASSPATH%)
else (set POST_CLASSPATH=C:\OracleHome1213\Oracle_Home\oracle_common\modules\oracle.jps_12.1.3\jps-manifest.jar)
               

New Node Manager Property Names Cannot Be Used From WLST Offline

Issue

Impacted Platforms: All

WLST offline, as well as the pack and unpack commands, do not support setting the following new Node Manager replacement properties that were introduced in WebLogic Server 12.1.3.

Operations, Administration, and Management Issues and Workarounds

There are no known Operations, Administration, and Management issues in this release of WebLogic Server.

Oracle Kodo Issues and Workarounds

Value Retrieved for an Empty Byte Array Field is NULL

Issue

Impacted Platforms: MS Windows 2000

When trying to persist an empty byte array field within an entity to a Sybase or Oracle database, the value gets stored as a NULL rather than as bytes. As a result, when retrieving the value, NULL is returned.

This is a limitation of the Sybase and Oracle drivers, which convert the empty byte array to a NULL while storing it in the database. The issue happens with WebLogic JDBC drivers as well as the proprietary Sybase and Oracle drivers.

Workaround

Plug-ins Issues and Workarounds

This section describes the following issue for various WebLogic Server plug-ins:

apr_socket_connection Exception Occurs When Using the IIS Plug-In

Issue

Impacted Platforms: All

Under the following circumstances, the IIS plug-in may not work, resulting in an apr_socket_connection error:

Both the IIS and WebLogic Server instances are on the same machine.

IPv6 is enabled on the machine, but the machine is not in an IPv6 environment (that is, the IPv6 interface is enabled but is not working).

The listen address of the WebLogic Server instance is set to the simple host name.

Either the directive WebLogicHost or WebLogicCluster is set to the simple host name for the IIS instance.

Note:

To set the property to consistently enable HTTP proxying:

Security Issues and Workarounds

This section describes the following issues and workarounds:

Service-side Kerberos Authentication Fails With Error 401

Issue

Impacted Platforms: All

Service-side Kerberos authentication fails with an HTTP/1.1 Error 401 Unauthorized if the JDK version is JRockit 1.60_24, 1.60_28, or 1.60_29.

Issue

Impacted Platforms: All

The option -Dweblogic.system.StoreBootIdentity works only if the appropriate server security directory exists. This directory is usually created by the Configuration Wizard or upgrade tool.

However, the appropriate server security directory could be absent in domains checked into source-control systems.

Workaround

Boot Time Failure Occurs With SecurityServiceException

Issue

Bug Number:

Impacted Releases:

Impacted Platforms: All

A WebLogic Server instance can experience a boot time failure with a SecurityServiceException when the RDBMS Security Data Store is configured for a DB2 database using the DB2 driver supplied with WebLogic Server.

When configuring the SAML 2.0 federation services for a WebLogic Server instance, be sure to enable all binding types that are available for the SAML role being configured. For example, when configuring SAML 2.0 Identity Provider services, you should enable the POST, Redirect, and Artifact bindings. When configuring SAML 2.0 Service Provider services, enable the POST and Artifact bindings. Optionally, you may choose a preferred binding.

Enabling Both the Authentication and Passive Attributes In SAML 2.0 Service Provider Services Is an Invalid Configuration

Issue

Impacted Platforms: All

When configuring SAML 2.0 Service Provider services, enabling both the Force Authentication and Passive attributes is an invalid configuration that WebLogic Server is unable to detect. If both these attributes are enabled, and an unauthenticated user attempts to access a resource that is hosted at the Service Provider site, an exception is generated and the single sign-on session fails.

Note that the Force Authentication attribute has no effect because SAML logout is not supported in WebLogic Server. So even if the user is already authenticated at the Identity Provider site and Force Authentication is enabled, the user is not forced to authenticate again at the Identity Provider site.

Avoid enabling both these attributes.

Workaround

Running the WebLogic Full Client in a Non-Forked VM

Issue

Impacted Platforms: All

If the WebLogic Full Client is running in a non-forked VM, for example by means of a <java> task invoked from an Ant script without the fork=true attribute, the following error might be generated:

java.lang.SecurityException: The provider self-integrity check failed.

This error is caused by the self-integrity check that is automatically performed when the RSA Crypto-J library is loaded. (The Crypto-J library, cryptoj.jar , is in the wlfullclient.jar manifest classpath.)

This self-integrity check failure occurs when the client is started in a non-forked VM and it uses the Crypto-J API, either directly or indirectly, as in the following situations:

The client invokes the Crypto-J library directly.

The client attempts to make a T3S connection, which triggers the underlying client SSL implementation to invoke the Crypto-J API.

When the self-integrity check fails, further invocations of the Crypto-J API fail.

Workaround

When running the full client in a <java> task that is invoked from an Ant script, always set the fork attribute to true .

For more information about the self-integrity check, see "How a Provider Can Do Self-Integrity Checking" in How to Implement a Provider in the Java™ Cryptography Architecture, available at the following URL:

Random Number Generator May Be Slow on Machines With Inadequate Entropy

Issue

Impacted Platforms: Linux

In order to generate random numbers that are not predictable, SSL security code relies upon "entropy" on a machine. Entropy is activity such as mouse movement, disk IO, or network traffic. If entropy is minimal or non-existent, then the random number generator will be slow, and security operations may time out. This may disrupt activities such as booting a Managed Server into a domain using a secure administrator channel. This issue generally occurs for a period after startup. Once sufficient entropy has been achieved on a JVM, the random number generator should be satisfied for the lifetime of the machine.

For further information, see Sun bugs 6202721 and 6521844 at:

LDAP Authenticator Log Messages Show Incorrect URL

The WebLogic Server LDAP Authentication provider log messages show an incorrect URL for the LDAP connection returned by the getConnection method. The getConnection messages indicate that SSL is used, even if you did not specify SSL in the WebLogic Server provider configuration.

Workaround

The "Connecting to host" messages in the log file do correctly indicate whether SSL is used. For example,

<Connecting to host=somehost, port=3060>

<Connecting to host=somehost, ssl port=3060>

Issue

Impacted Platforms: All

When starting an ODI Managed Server, the identity used to start the Managed Server is not mapping properly to the WebLogic Sever Administrator role, causing security errors. If these warnings are seen while starting the Managed Server, the embedded LDAP files from the Managed Server are causing a resynchronization of the policy from the Administration Server.

Workaround

Remove the embedded LDAP files in the folder <domain>/…/data/ldap/ldapfiles from the Managed Server and restart the Managed Server.

Use of WebLogic SAML Support For SSO is Not Supported in Partitions or With Security Realm Restart

Issue

Impacted Platforms: All

Using SAML 1.1 and SAML 2.0 for single sign-on with web browsers and HTTP clients is not supported in partitions or for automatic realm restart.

However, the use of SAML 1.1 and SAML 2.0 with web services is fully supported with these features.

Workaround

Compatibility Realm Domains Are Not Supported by WebLogic 12.2.1.1 Clients

Issue

Impacted Platforms: All

SNMP Issues and Workarounds

There are no known SNMP issues in this release of WebLogic Server.

Spring Framework on WebLogic Server Issues and Workarounds

This section describes the following issues and workarounds:

OpenJPA ClassFileTranformer Does Not Work When Running on JRockit

Issue

Impacted Platforms: All

The OpenJPA ClassFileTranformer does not work when running WebLogic Server on JRockit.

System Component Architecture (SCA) Issues and Workarounds

This section describes the following issues and workarounds:

No Support for SCA in Domain Partitions

Issue

Impacted Platforms: All

The SCA container has not been updated for use in domain partitions. Use of SCA in partitions will result in undefined behavior. If you need to run SCA applications, do not add domain partitions to your domain.

Workaround

Issue

Impacted Platforms: All

The following exception occurs when upgrading Oracle WebLogic Server using the Reconfiguration Wizard with log_priority=ALL :

Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (NM_OPSS.IDX_JPS_RDN_PDN) violated

SAXParseException May Occur During Reconfiguration

Issue

Impacted Platforms: All

The following exception appears in the reconfig.log after invoking reconfig.sh with log_priority=ALL :

[org.xml.sax.SAXParseException; lineNumber: 3; columnNumber: 77; cvc-elt.1: Cannot find the declaration of element 'stringSubsInfo'.]

Manually Configure DefaultIdentityAsserter During Domain Upgrade

Issue

Impacted Platforms: All

Several WebLogic Server software features, such as Lifecycle Manager, RESTful Management Services, WebLogic Server Administration Console, and Fusion Middleware Control have dependencies on WebLogic Server security features which may not be present in an upgraded domain configuration.

Workaround

You must manually configure the following security features during domain upgrade:

Create an LCMUser service account if not present. This service account must be present in the administrator group and should have a secure password.

Update the DefaultIdentityAsserter configuration to include weblogic-jwt-token as an active type if not present.

Web Applications Issues and Workarounds

This section describes the following issues and workarounds:

MaxPostSizeExceededException Reported in Web Browser

Issue

Impacted Platforms:All

After upgrading an application from a WebLogic Server version prior to 12.1.2, a MaxPostSizeExceededException is reported in the web browser.

Issue

Impacted Platforms: All

When accessing a Web page using the SSL port, the page fails to open and the following error is reported:

Secure Connection Failed 
An error occurred during a connection to <hostname>. 
You have received an invalid certificate. Please contact the server 
administrator or email correspondent and give them the following information: 
Your certificate contains the same serial number as another certificate 
issued by the certificate authority. Please get a new certificate containing a unique serial number.

Unable to View the Output of a JSPX Page in Internet Explorer

Issue

Impacted Platforms: MS Windows

When a JSPX page is deployed and is then accessed using some versions of Internet Explorer, the XHTML source is displayed instead of the page contents. This occurs in both normal and osjp.next modes.

Workaround

Application developers should avoid using SVG graphics in their applications, as it is not natively supported in IE7. If used, a warning similar to the following should be added:

Deployment Plans Cannot Be Used To Override Two Descriptors

Issue

Impacted Platforms: All

Deployment plans cannot be used to override the following two descriptors during deployment of a Web application or a Web module: WEB-INF/classes/META-INF/persistence.xml and WEB-INF/classes/META-INF/persistence-configuration.xml. Deployment plans can otherwise be used to override any descriptor.

Workaround

Package WEB-INF/classes/META-INF/persistence.xml and WEB-INF/classes/META-INF/persistence-configuration.xml (if present) along with related class files into a JAR file. The JAR file must then be placed in the WEB-INF/lib directory of the Web application or Web module. A deployment plan can be used to override the two descriptors in such a JAR file.

Spring Dependency Injection Not Supported on JSP Tag Handlers

Issue

Impacted Platforms: All

With the Spring extension model enabled, WebLogic Server 10.3 or later does not support Spring Dependency Injection (DI) on JSP tag handlers for performance reasons.

Currently, WebLogic Server supports Spring DI on most Web components, for example, servlets, filters and listeners. Spring DI is not, however, presently supported on JSP tag handlers for performance reasons.

Workaround

No workaround available.

503 Error When Accessing an Application With a Valid sessionid

Issue

Impacted Platforms: All

When a session is persistent and an older version of a servlet context is retired, accessing the application with a valid sessionid will cause a 503 error.

For example, the session-persistent type of a versioned Web application is 'file'. A user can access the application successfully. Later, version 2 of the application is redeployed and version 1 is retired. If the same user accesses the application, they will get a 503 error.

Workaround

No workaround available.

Applications Configuring jdbc-connection-timeout-secs Fail to Deploy

Issue

Impacted Platforms: All

As of WebLogic Server 12.1.2, the jdbc-connection-timeout-secs element in the weblogic.xml deployment descriptor has been removed. Applications that configure jdbc-connection-timeout-secs will fail to deploy on WebLogic Server 12.1.2 server instances, resulting in the following error in the server log:

Unable to load descriptor /.../WEB-INF/weblogic.xml of module myweb. The error is weblogic.descriptor.DescriptorException: VALIDATION PROBLEMS WERE FOUND 
  <6:7> problem: cvc-complex-type.2.4a: Expected elements 'timeout-secs@http://xmlns.oracle.com/weblogic/weblogic-web-app ...' instead of 'jdbc-connection-timeout-secs@http://xmlns.oracle.com/weblogic/weblogic-web-app' here in element session-descriptor@http://xmlns.oracle.com/weblogic/weblogic-web-app

Default JSP Encoding Changed to UTF-8

Issue

Impacted Platforms: All

As of WebLogic Server 12.1.3, the default value of the encoding element for the jsp-descriptor element in weblogic.xml is UTF-8 for JSP pages. Prior to WebLogic Server 12.1.3, the default value for JSP encoding was ISO-8859-1 .

Workaround

WebLogic Server Scripting Tool (WLST) Issues and Workarounds

This section describes the following issues and workarounds:

Property Names Containing Certain Characters Are Not Supported by loadProperties

Issue

Impacted Platforms: All

The WLST loadProperties command does not support loading a property with a name that contains "." characters. For example, if the property myapp.db.default is present in the property file, WLST throws a name exception:

  Problem invoking WLST - Traceback (innermost last):
    File "<iostream>", line 7, in ?
    File "<iostream>", line 4, in readCustomProperty
  NameError: myapp

This is a system limitation of Python and the loadProperties command. WLST reads the variable names and values and sets them as variables in the Python interpreter. The Python interpreter uses "." as a delimiter to indicate module scoping for the namespace, or package naming, or both. Therefore, the properties file fails because myapp.db.default.version=9i is expected to be in the myapp.db.default package. This package does not exist.

Use variable names that do not have periods. This will allow you to load the variables from the property file and refer to them in WLST scripts. You could use another character such as "_" or lowercase/uppercase character to delimit the namespace.

As an alternative, you can set variables from a properties files. When you use the variables in your script, during execution, the variables are replaced with the actual values from the properties file. For example:

myapp.py
var1=10
var2=20
import myapp
print myapp.var1
print myapp.var2

This will work for one level of namespaces ( myapp.var1 , myapp.var2 ). It will not work for top level variables that share the same name as the namespace (for example, myapp=oracle and myapp.var1=10 ). Setting the myapp variable will override the myapp namespace.

If you need multiple levels, then you can define a package namespace using directories. Create a myapp/db/default directory with a vars.py file as follows:

var1=10
var2=20

Then import:

import myapp.db.default.vars
print myapp.db.default.vars.var1

You may need to add __init__.py files to the subdirectories. Refer to the Python documentation for more information on packages:

Web Services and XML Issues and Workarounds

This section describes the following issues and workarounds:

Sparse Arrays and Partially Transmitted Arrays Are Not Supported

Issue

Impacted Platforms: All

WebLogic Server does not support Sparse Arrays and Partially Transmitted Arrays as required by the JAX-RPC 1.1 Spec.

Workaround

WSDL Compiler Does Not Generate Serializable Data Types

Issue

Impacted Platforms: All

The Web Service Description Language (WSDL) compiler does not generate serializable data types, so data cannot be passed to remote EJBs or stored in a JMS destination.

Workaround

Use of Custom Exception on a Callback

Issue

Impacted Platforms: All

WebLogic Server does not support using a custom exception on a callback that has a package that does not match the target namespace of the parent Web Service.

Workaround

Make sure that any custom exceptions that are used in callbacks are in a package that matches the target namespace of the parent Web service.

Cannot Use JMS Transport in an Environment That Also Uses a Proxy Server

Issue

Impacted Platforms: All

You cannot use JMS transport in an environment that also uses a proxy server. This is because, in the case of JMS transport, the Web Service client always uses the t3 protocol to connect to the Web Service, and proxy servers accept only HTTP/HTTPS.

Workaround

clientgen Fails When Processing a WSDL

Issue

Impacted Platforms: All

clientgen fails when processing a WSDL that uses the complex type http://www.w3.org/2001/XMLSchema{schema} as a Web Service parameter.

Issue

Impacted Platforms: All

When Web Service A wants to invoke Web Service B, Web Service A should use the @ServiceClient annotation to do this. If Web Service B needs a custom policy file that is not attached to the WSDL for Web Service B, then Web Service A will fail to run. Web Service A will look for the policy file at /Web-Inf/classes/policies/ filename .xml . Since no policy file exists at that location, WebLogic Server will throw a 'file not found' exception.

Attach the custom policy file to Web Service B, as in this example:

@Policy(uri="CustomPolicy.xml",
        attachToWsdl=true)
public class B {
               

Client Side Fails to Validate the Signature on the Server Response Message

Issue

Impacted Platforms: All

When the security policy has one of these Token Assertions, the client side may fail to validate the signature on the server response message.

  <sp:WssX509PkiPathV1Token11/>
  <sp:WssX509Pkcs7Token11/>
  <sp:WssX509PkiPathV1Token10/>
  <sp:WssX509Pkcs7Token10/>

In addition, when there are more than two certifications in the chain for X509 certification for <sp:WssX509Pkcs7Token11/> or <sp:WssX509Pkcs7Token10/> Token Assertion, the server side may fail to validate the signature on the incoming message.

A policy such as the following policy is not supported, unless the entire certificate chain remains on the client side.

<sp:AsymmetricBinding>
   <wsp:Policy>
      <sp:InitiatorToken>
         <wsp:Policy>
            <sp:X509Token
               sp:IncludeToken='. . ./IncludeToken/AlwaysToRecipient'>
            <wsp:Policy>
               <sp:WssX509Pkcs7Token11/>
            </wsp:Policy>
         </sp:X509Token>
      </wsp:Policy>
      </sp:InitiatorToken>
      <sp:RecipientToken>
      <wsp:Policy>
      <sp:X509Token sp:IncludeToken='. . ./IncludeToken/Never'>
            <wsp:Policy>
               <sp:WssX509Pkcs7Token11/>
            </wsp:Policy>
         </sp:X509Token>
      </wsp:Policy>
      </sp:RecipientToken>
   . . .
      </wsp:Policy>
   </sp:AsymmetricBinding>