Categories
- All Categories
- 75 Oracle Analytics News
- 7 Oracle Analytics Videos
- 14K Oracle Analytics Forums
- 5.2K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 40 Oracle Analytics Trainings
- 59 Oracle Analytics Data Visualizations
- 2 Oracle Analytics Data Visualizations Challenge
- 3 Oracle Analytics Career
- 4 Oracle Analytics Industry
- Find Partners
- For Partners
SSL Ping failures (1): Target: bi_server1:BI-SECURITY-SOAP @ in Obiee 12c
Hi Guru's
I configured SSL in our 3 Obiee 12c environments, everything works fine, however when I run the ./ssl report script regardless of the environments
I get as an error:
Ping failures (1):
Target: bi_server1: BI-SECURITY-SOAP @ <myserver.domain>: 9505
Java client: SSL ping OK.
Protocol: TLSv1.2. Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.One way SSL.
Openssl client: SSL connection failed. See detailed log output.
Nothing specific in Logs
Thank you for helping me deal with this request,
Answers
-
I see the same errors. Did you solve the issue?
The ssl.sh report command is logging to $DOMAIN_HOME/bilogs/sslcommand.log.
Unfortunately each time you run this is overwrites the log. I assume you have tried to enable ' ssl.sh internalssl true' prior to running the report 'ssl.sh report', so the log of the enable has been overwritten by the later report.
Anyway, the sslcommand.log file shows the openssl commands being run by the report and more.
I'm going to check I can add this reply before adding further as I cannot locate this posting via the Oracle Community.
0 -
I am also getting the same error. Could not find any resolution.
Did you solve the issue?
0 -
I’ve not found the solution.
I raised an SR with Oracle Support 2 months ago but no solution, they tell me they are unable to reproduce the error.
Mike
0 -
Just some rambling thoughts.
I'm working on linux, so looking at the sslcommand .log file it implies I set my openssl configuration by
export OPENSSL_CONF=/install/oracle/ofm_domains/user_projects/domains/<YOUR_DOMAIN>/config/fmwconfig/biconfig/core/ssl/openssl.cnf
then I can run
openssl s_client -showcerts -connect <YOUR_HOST>:9505
which shows some certificate details for a failed connection attempt
I see
subject=/C=US/O=Oracle/OU=Business Intelligence/CN=<MY_HOST>
issuer=/CN=OBIEE Internal Certificate Authority/OU=OBIEE Installer 170214162555+0000/O=Oracle/C=US
and if i look in the
$DM_HOME/config/fmwconfig/biconfig/core/ssl
directory tree
I see the certificate
internalca/demoCA/newcerts/15.pem
which I can look at using
openssl x509 -text -in internalca/demoCA/newcerts/15.pem
and it shows
Issuer: CN=OBIEE Internal Certificate Authority, OU=OBIEE Installer 170214162555+0000, O=Oracle, C=US
Validity
Not Before: Feb 14 16:25:58 2017 GMT
Not After : Feb 14 16:25:58 2037 GMT
Subject: C=US, O=Oracle, OU=Business Intelligence, CN=<MY_HOST>
but I have not found how to get this certificate to be trusted
Mike
0 -
Again no solution, just an update.
Oracle support have now recreated the SSL PING error for BI-SECURITY-SOAP shown by the 'ssl.sh report' command, but are advising that in my particular circumstances I should ignore the test script report.
The error " BI-SECURITY-SOAP" is a known issue in our test machine as we have the machine name & listening address different in our managed server. This is because we use cloning option to create test machines,hence the machine name & listening address will be different.
Please ignore the error related to " BI-SECURITY-SOAP" ping failure.
This leaves me with a similar error reported by the OBIEE product on part 9503 rather than the port 9505 used by the test script error.
In the obis1-diagnostic.log I get
[nQSError: 12002] Socket communication error at call=SSL_connect: (Number=1) error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[nQSError: 46119] Failed to open HTTP connection to server vuh-lb-obidev.herts.ac.uk at port 9503.
Maybe implying an unencrypted connection attempt being made to the encryted port 9503.
My external SSL configuration for use connections work without apparent error.
An openssl test on the port
openssl s_client -showcerts -connect <myhost>:9503
shows
Verify return code: 18 (self signed certificate)
hence I believe the SSL configuration is correct.
I'm following up the internal configuration to look into the apparent use of the unencrypted protocol.
Mike
0 -
Thanks for keeping the thread updated with your findings Mike!
0 -
HI,
Oracle Support have a published BUG 24745827 relating to ' SSL3_GET_SERVER_CERTIFICATE:certificate verify failed '.
I'm going to wait for a resolution. In the meantime operate in 12.2.1.2 without 'internalssl true'
Mike
0 -
All,
I note the Oracle Document
OBIEE 12c: ssl.sh Report Report Fails with - Ping Failures (1) - Target: Bi_server1:BI-SECURITY-SOAP Error (Doc ID 2270711.1)
updated 20/06/2017.
Mike
0 -
All,
I note the Oracle Document
OBIEE 12c: ssl.sh Report Report Fails with - Ping Failures (1) - Target: Bi_server1:BI-SECURITY-SOAP Error (Doc ID 2270711.1)
updated 20/06/2017.
Mike
0 -
All,
As DOC ID 2270711/1, in OBIEE – Administration Console – servers, I have the Listen Address set as the FQDN for both AdminServer and bi_server1.
If after having ‘ssl.sh internalssl true’, I then run the check ‘ssl.sh report’, I get a ping failure
Ping failures (1):
Target: bi_server1:BI-SECURITY-SOAP @ <myhost>:9505
If the Listen Address is set back to blank (I cleared the entries for both AdminServer and bi_server1). Then after running ‘ssl.sh internalssl true’. The ‘ssl.sh report’ check now succeeds, all 6 ping checks report success.
This does not however fix my core problem of the SSL errors being generated and recorded in the sawlog.log and obis1-diagnostic.log files.
After having set ‘ssl.sh internalssl true’, I note from the ‘netstat –anp | grep CLOSE_WAIT’ , that there are an increasing number of connections reported in the CLOSE_WAIT state.
I shall reset to ‘ssl.sh internalssl false’ and wait for progress on the BUG 24745827.
Mike
0
