Oracle® Secure Enterprise Search

4.1 OracleAS Portal Issues

Following are the issues:

• Secure OracleAS Portal crawling requires the latest version of OracleAS Portal.

  Workaround: The following table lists patch information necessary for each version of OracleAS Portal for which Oracle SES certifies. You can apply the one-off patch on top of the listed version, or you can wait to upgrade to the next patchset indicated. The one-off patches are available on OracleMetaLink at

  https://metalink.oracle.com

  Enter the bug number for the appropriate OracleAS Portal release to get the patch.

  Table 1 OracleAS Portal Patch Necessary for Secure OracleAS Portal Crawling

  OracleAS Portal Release	Patchset to Upgrade	One-off Patch
  9.0.4	9.0.4.3.0	This is tracked with bug 4637116. This should be applied on top of 9.0.4.2.0.
  10.1.2	10.1.2.2.0	This is tracked with bug 5043725. This should be applied on top of 10.1.2.0.2.
  10.1.4	10.1.4.1.0	This is tracked with bugs 4892619 and 5024386. This should be applied on top of 10.1.4.0.0.

  
  

4.2 Installation Issues

An exception error occurs if the Back button is clicked on the Specify Inventory Directory and Credentials page.

This is tracked with bug 5091607.

4.3 General Issues

Following are the general issues:

• The http response header from an Oracle SES server contains the SERVER version information that may be used to exploit potential vulnerabilities of the system.

  Workaround: Override the SERVER field in http response header by performing the following steps:

  1. Locate the file: $ORACLE_HOME/bin/searchctl.pl.

  2. Add the following characters in bold:

     sub startUS()
     {
         print "\nStarting Search midtier .... please wait.\n\n";
         my $scmd = $PFX.$JAVAW.$params." -Dhttp.webdir.enable=false
     -Doracle.oc4j.localhome=$FFB
     -Djava.security.properties=".catfile($JH,'home','config','jazn.secur
     ity.props').' -Dhttp.server.header=unknown
     -Doracle.security.jazn.config='.catfile($JH,$INST_
     NAME,'config','jazn.xml').' -jar '.catfile($JH,'home','oc4j.jar').'
     -userThreads -config '.catfile($JH,$INST_
     NAME,'config','server.xml').' -out '.catfile($JH,$INST_
     NAME,'log','oc4j.log').' -err '.catfile($JH,$INST_
     NAME,'log','oc4j.log').$SFX;
     
     

  3. Restart the middle tier with searchctl restart.

  This is tracked with bug 5088104.

• Oracle SES does not support a default entity to attribute mapping mechanism for XML content.

  Workaround: A custom crawler plug-in is required to crawl and index XML. (see the Oracle Secure Enterprise Search Administrator's Guide for details).

  This is tracked with bug 4501161.

• The e-mail message browser in the default query application is unable to display attached HTML files for crawled e-mail messages that were originally sent from certain mail clients (for example, Mozilla Thunderbird). An UnsupportedEncodingException will be shown instead.

  This is tracked by bug 5104659.

4.4 Administration Issues

Following are the administration issues:

• Table sources cannot handle quoted identifiers for the table or column names. For example, table or column names containing spaces, lowercase characters, or non-alphabetic characters other than underscore (_), dollar sign ($), and pound sign (#) are not supported.

  Workaround: Create a view using nonquoted identifiers on top of the table having quoted identifiers. Then crawl that view.

  This is tracked with bug 5093512.

• If you are administering an Oracle SES instance with existing sources and schedules and you accidentally click Recover on the Global Settings - Configuration Data Backup and Recovery page, then you should see the error message "Recovery is only allowed on a freshly installed system. No sources or schedules should be created before recovery." At this point, triggers and foreign key constraints in the embedded database will have been erroneously disabled. This may cause sporadic problems if you continue to use this Oracle SES instance.

  Workaround: Contact support or access Metalink for the support instructions to re-enable the triggers and constraints in your Oracle SES instance.

  This is tracked with bug 5086309.

• Limitations in the range of characters that can be used in the Suggested Links feature: Suggested links does not support keywords with a hyphen, such as e-travel. The characters +-!`~ in a query string are ignored while matching suggested links, and the characters ~`!@#$%^*()_+-=[]\{}|;:?,./<>"'& should be ignored in suggested links.

  This is tracked with bugs 4434993, 4280409, and 4280437.

• Detailed crawler statistics does not display host names for URLs that are not of the form: protocol://host/path.

  This is tracked with bug 4247515.

• When an end user changes the credentials (user name/password) for a subscribed (self service) source after it has been crawled, the earlier documents crawled with the old credentials remain in the index.This may cause unexpected behavior for e-mail sources, in which the old documents may share the same URL with new e-mail documents from the most recent e-mail account. In this situations, some e-mail messages from the most recent crawl using the new credentials may not be indexed if an old message shares the same folder and message IDs.

  Workaround: Update the crawler recrawl policy to Process All Documents on the Home - Schedules - Edit Schedules page, and recrawl the source.

  This is tracked with bug 5048374.

• The administration tool states that the following file format types are supported:

  • dBase

  • Paradox

  • Framework

  These three file format types are not supported.

  This is tracked with bug 5102440.

4.5 Secure Search Issues

Following are the secure search issues:

• If the SSL port for the connection to an Oracle Internet Directory server was incorrectly specified in the Global Settings - Directory Setup page, then the connection operation will succeed, but ACL security group resolution for search queries will be disabled. For example, suppose user1 is a member of group1, and a group ACE is added to grant group1 access to a source. User1 cannot access documents in that source, because the user's group membership is not resolved.

  Workaround: Reconnect to the Oracle Internet Directory server using the correct SSL port.

  This is tracked with bug 5105083.

• If it is necessary to switch from the current Oracle Internet Directory server to a different one, or to change any aspect of the connection configuration (such as realm), then the ACL for all sources currently protected using Oracle SES ACL must be cleared (that is, all entries deleted) before registering the new Oracle Internet Directory server.

  Workaround: The old ACLs should be manually deleted when switching from one Oracle Internet Directory server to another. Then the new ACLs added again.

  This is tracked with bug 5048501.

• The documented restrictions about changing ACL policies are not enforced for mailing list sources.

  Workaround: The ACL policy must be updated when the crawl is finished.

  This is tracked with bug 5063158.

• The documented restrictions about changing ACL policies only work if the Authorization page for the source in the administration tool is current. If the page is not current, then you may be able to update the ACL policy in a way that should be disallowed.

  Workaround: Before updating the ACL policy, ensure that the Authorization page is current by clicking the browser Refresh button.

  This is tracked with bug 5065426.

• When Oracle SES is not connected to Oracle Internet Directory, the ACL policy can be set to Oracle SES ACL or ACLs Controlled by Source. This should not be allowed.

  Workaround: Do not set the ACL policy to Oracle SES ACL or ACLs Controlled by Source when Oracle SES is not connected to Oracle Internet Directory. It should be set to No ACL.

  This is tracked with bug 5064538.

• If you are writing a custom query application that communicates with an Oracle SES federated setup, and if a source on the Oracle SES slave instance is protected by query-time authorization, then any session context created on the Oracle SES master instance will not be propagated to the QueryTimeFilter on the slave instance. This is an issue when the custom query application is utilizing the setSessionContext Web Services operation to perform user authentication without an Oracle Internet Directory server.

  Workaround: Use the standard Oracle Internet Directory user authentication setup for the Oracle SES master instance. In this configuration, the AUTH_USER value representing the Oracle Internet Directory authenticated user will be propagated to the QueryTimeFilter on the slave node.

  This is tracked with bug 5069128.

• Private results may not be returned if you are protecting Oracle SES using SSO mode (2) (that is, only private content is protected by SSO) and also using either the Web services login method or federation.

  Workaround: Remove the filter element in the web.xml file. Follow these steps:

  1. Open the web.xml file found in $ORACLE_HOME/oc4j/j2ee/oc4j_applications/applications/search_query/query/WEB-INF/web.xml. You will see two elements filter and filter-mapping. Comment them out:

     <!-- commenting filter and filter-mapping due to bug 5072567 
        <filter> 
         <filter-name>RequestFilter</filter-name> 
         <filter-class>oracle.search.query.RequestFilter</filter-class> 
       </filter> 
      
       <filter-mapping> 
        <filter-name>RequestFilter</filter-name> 
        <servlet-name>OracleSearch</servlet-name> 
       </filter-mapping> 
       -->
     

  2. Restart the middle tier with searchctl restart.

  This is tracked with bug 5072567.

• Cannot use the single sign-on (SSO) authentication for Web sources. SSO authentication looks for one signature, which is the name of the SSO login form. The name is currently hard-coded as "LoginForm", as it is the default form name for the SSO server.

  Workaround: Make the form name a parameter in eq$crawler_config_default. When new form names need to be added, an INSERT statement like the following can be issued to add a new value into the global config table:

  INSERT INTO EQ$CRAWLER_CONFIG_DEFAULT(CCD_CW_ID, CCD_PNAME, CCD_PVALUE) 
       values(-2, 'CC_SSO_FORM_NAME', 'NewFormName'); 
  
  

  This is tracked with bug 4727588.

4.6 Search Term Issues

Following are the search term issues:

• Wildcard search inside a phrase is not supported.

  This is tracked with bug 4451462.

• Boolean OR operator is not supported between advanced search operators. (for example, site & filetype query operators).

  This is tracked with bug 4451445.

• Very long search terms cause an exception in the Web service query interface.

  This is tracked with bug 4446793.

• Browse results do not include file sources.

  This is tracked with bug 4285489.

4.7 Internationalization Issues

Following are the internationalization issues:

• The first character of highlighted text (KWIC) is not displayed for multibyte words.

  This is tracked with bug 4311907.

• The administration environment language is reset to English after having been set to another language if not properly logged out.

  This is tracked with bug 4424711.

• Browse categories render incorrectly in BIDI.

  This is tracked with bug 4198113.

• If Oracle SES is installed in an operating system with European locale, then the crawler will finish with Failed state with the following error in the crawler log file:

  ORA-00933: SQL command not properly ended.

  The first time crawl that raises the error is successful; that is, all documents crawled are searchable. But recrawl of the same source will be blocked. After applying the workaround, you should be able to recrawl.

  Workaround: Set the machine locale to English.

  For example:

  setenv LANG en_US 
  setenv LC_ALL en_US 
  searchctl stopall 
  searchctl startall
   
  

  This is tracked with Oracle bug 5113622.

• If the browser locale is Portuguese, then search fails with an Oracle internal error. The locale code for Portuguese is a reserved word for Oracle Text, and the query introduces a syntax error.

  Workaround: Specify a locale that is not Portuguese.

  This is tracked with Oracle bug 5065141.

4.8 Crawler Plug-in Issues

Following are the crawler plug-in issues:

• If the crawler plug-in specifies a default parameter value that is encrypted, then the actual value is not propagated through the administration tool. That is, the encrypted value "*****" is saved. This occurs only on the Home - Sources - Create User-Defined Source page.

  Workaround: With a custom crawler plug-in, do not provide a default value for a parameter that is encrypted. Instead, enter the encrypted value manually when creating the user-defined source. Otherwise, if a default value for an encrypted parameter is supplied, then manually re-enter the default value, or a new value, in the input box before creating the user-defined source.

  This is tracked with bug 5076029.

• In the crawler plug-in interface, when a document is empty or is in pure text format (not HTML), document attributes may not be inserted correctly into the index. This may affect attribute search and search within a source group.

  Workaround: Add a start tag and end tag in the document content; for example, <html></html> for empty or text documents before submitting the document to the crawler.

  This is tracked with bug 5047114.

• When editing user-defined sources, the following pages in the administration tool do not apply to the crawler plug-in:

  • Authentication page

  • Document Types page

  • Crawling Parameters page: Only the following fields on this page can be set for user-defined sources: Number of crawling threads, Enable language detection, Default language

  • When specifying an access control list principal to the DocumentAcl.addPrincipal method, the principal format cannot be in DN format.

    Workaround: Specify principal in GUID format.

    This is tracked with bug 5089586.

  • The crawler could get an Out of Memory error as document content is read into memory if the plug-in submits text documents totalling around 100M.

    This is tracked with bug 5043491.

  • The crawler does not enforce maximum document size and mimetype checking for plug-in crawl.

    Workaround: The plug-in must handle mimetype rejection and large document rejection itself.

    This is tracked with bug 5043493.

4.9 Web Services API Issues

Following are the web services API issues:

• The logUserClick API is not supported.

  This is tracked with bug 5090058.

• Deploying an application using the Web Services APIs in the same middle tier (OC4J container) as Oracle SES is not supported if the Oracle SES crawlers require HTTP proxy settings.

  Workaround: Oracle SES HTTP proxy settings are applied to the entire OC4J container. Invocation of the WS APIs should be done without using a proxy. That is, this particular URL to the custom Web application should be excluded from the proxy settings. For this, make the settings in searchctl.pl file directly, so that it will be effective for the entire OC4J container.

  1. Open $ORACLE_HOME/bin/searchctl.pl.

  2. Find the startUS subroutine.

  3. Add the following options to the $cmd variable after the first doublequote:

     -Dhttps.proxyHost=<host> -Dhttps.proxyPort=<port> 
     -Dhttp.proxyHost=<host> -Dhttp.proxyPort=<port>
     -Dhttp.nonProxyHosts='<*.domain>'
      
     

     where <*.domain> is the domain you want to exclude from the proxy settings

  4. Restart the middle tier with searchctl restart.

  This is tracked with bug 5102814.

4.10 Federated Search Issues

Following are the federated search issues:

• After the federator is deployed, Oracle Internet Directory connection and disconnection cannot be done with the Oracle Secure Enterprise Search administration tool.

  Workaround: Connect to, and disconnect from, Oracle Internet Directory through a command line tool.

  Enter the following to connect to Oracle Internet Directory from the command prompt:

  $ORACLE_HOME/bin/searchctl config action=setup_oid oid="<oid host>" 
  oid_port=<oid port> oid_sslport=<oid SSL port> oid_subscriber_dn="<realm 
  distinguished name>" oid_user_dn="<administrator user name>" 
  oid_passwd=<administrator password> jdbc_str="<jdbc connect string>" 
  dba_user=eqsys dba_passwd=<SES password>
   
  

  The Oracle Internet Directory host, Oracle Internet Directory port, Oracle Internet Directory SSL port, realm distinguished name, administrator user name, and Oracle Internet Directory password should be entered exactly as they would be entered on the Global Settings - Directory Setup Page in the Oracle SES administration tool. The Oracle Internet Directory host, realm distinguished name, and administrator user name should be enclosed in quotes (as shown).

  The JDBC connect string can be obtained from the $ORACLE_HOME/search/webapp/config/search.properties file by examining the connection.url entry. The entry should have the form connection.url=jdbc:oracle:thin:@<SES host>:<DB port>:<DB SID> For the searchctl command to connect to Oracle Internet Directory, only the host, port, and SID components should be used (that is, everything following, but not including, the '@' character).

  Enter the following to disconnect from Oracle Internet Directory from the command prompt:

  $ORACLE_HOME/bin/searchctl config action=disconnect_oid jdbc_str="<jdbc 
  connect string>" dba_user=eqsys dba_passwd=<Oracle Secure Enterprise Search password>
  
  

  This is tracked with bug 4962145.

5.1 Online Help

The Online Help page for the end user search states the following:

A query can have only one filetype shortcut. The following filetype extensions are supported: doc, html, pdf, txt, rtf, ppt, ps, xls.

Postscript is not supported, so ps should be ignored.