Forum Stats

  • 3,837,476 Users
  • 2,262,262 Discussions
  • 7,900,297 Comments

Discussions

Oracle SOA 11.1.1.7 has problems with external Active Directory provider accessed via SSL (AIX 6.1)

Hello,

I open this discussion for all of you, which use Oracle SOA 11.1.1.7 with external LDAP Provider over SSL, in order to share with you the workaround solution which we found for our problems and of course to receive from you feedback if you know better solution.

In our organization Oracle SOA 11.1.1.7 is installed on AIX 6.1 and use external LDAP provider over SSL - MS Active Directory

The order of providers in security realm are: MS AD, Default Authenticator.

1. In case WL user is not member of Administrator group, it cannot monitor composites dashboard in EM.

2. SOA Composer report ADF errors when we try to open Business Rules and Human Tasks.

In the first case when we try to add non AD user to SOAMonitor we receive the following errors:

<Error> <oracle.ods.virtualization.engine.backend.jndi.LDAP3.BackendJNDI> <   > <AdminServer> <[ACTIVE] ExecuteThread: '23' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <:-::--> <> <LIBOVD-60143> <[#LDAP3]  Unable to create connection to ldap://[<AD Host>]:<SSL Port> as null.

javax.naming.CommunicationException: simple bind failed: <AD host>:<SSL Port>[Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]

    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:207)

    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2732)

    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:308)

    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:187)

    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:205)

    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:148)

    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:78)

....

Caused By: oracle.sysman.emSDK.app.exception.EMSystemException

    at oracle.sysman.emas.model.security.EMJpsASObject.throwsEMSystemException(EMJpsASObject.java:112)

    at oracle.sysman.emas.model.security.DialogAdminBean.fetchEntRoles(DialogAdminBean.java:779)

    at oracle.sysman.emas.model.security.DialogAdminBean.fetchRoleList(DialogAdminBean.java:622)

.....

In the second case we got the following errors:

ADF_FACES-60096:Server Exception during PPR, #1[[

javax.el.ELException: java.lang.NullPointerException

    at javax.el.BeanELResolver.getValue(BeanELResolver.java:298)

    at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:173)

    at com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:200)

    at com.sun.el.parser.AstValue.getValue(AstValue.java:138)

...

ADFc: While attempting to handle this exception the application's exception handler failed.[[

javax.el.PropertyNotFoundException: Target Unreachable, 'searchView' returned null

    at com.sun.el.parser.AstValue.getTarget(AstValue.java:108)

    at com.sun.el.parser.AstValue.setValue(AstValue.java:160)

...

at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

                at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

                at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)

                at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)

                at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)

                at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

                at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

In both cases the root cause for both problems are due to the fact the first provider is AD providers over SSL. If you don't use ldap over SSL port everything work fine.

After we spent many hours trying to resolve these problems we finally succeed to find the following solution:

--------------------------

Prerequisites: Setup Default and AD providers as it is described in Oracle Documentation. (AD provider over SSL; AD provider & Default Provider with control flag – SUFFICIENT; Reorder: AD provider first )

Steps to resolve the problems:
1. Login as weblogic in Enterprise Manager
2. Goto WebLogic Domain -> <Domain Name> -> Security -> Security Provider Configuration and click “Configure” button for Identity Store.
3. Click Add and enter new property “virtualize” with value “true”.
4. Save and Logout
5. Login in WL Admin Console
6. Stop All managed Server and keep up and running only Admin Server
The steps below follow basically the steps described in Doc ID 1465228.1
7. Set environment variables ORACLE_HOME, WL_HOME and JAVA_HOME
For example (on Windows):
set ORACLE_HOME=<MW_HOME>\Oracle_BI1
set WL_HOME=<MW_HOME>\wlserver_10.3
set JAVA_HOME=<MW_HOME>\jdk160_24
8. !!!!! Copy the wljarbuilder.jar from Business Intelligence Suite(or where you find it ) in your SOA WL_HOME
9. !!!! find the ovd.lock file on the file system and delete it !!!!
<MW_HOME>\user_projects\domains\<your domain>\config\fmwconfig\ovd\default\
10. Setup the keystore by running libovdconfig.sh (on UNIX) , or libovdconfig.bat (on Windows), using -createKeystore option.
For example, on UNIX, open a shell prompt and change the directory to <MW_HOME>/oracle_common/bin. Then, run the following command (which prompts for the Oracle Business Intelligence administrator user name and password), for example:
./libovdconfig.sh -host <hostname> -port <Admin_Server_Port> -userName <Admin User> -domainPath <MW_HOME>/user_projects/domains/<your domain> -createKeystore
Windows location:
<MW_HOME>\oracle_common\bin\libovdconfig.bat
11. When prompted, enter the  administrator password, and the OVD Keystore password (a new password that will be used to secure a Keystore file), created by the libovdconfig.sh -createKeystore command.
Once this command runs, you should see two new credentials in the Credential Store and a new Keystore file called adapters.jks under <MW_HOME>\user_projects\domains\<your_domain>\config\fmwconfig\ovd\default\keystores.
12. Export the root certificate from the LDAP directory (refer to your LDAP documentation on how to do this).
13. Import the root certificate to the libOVD keystore using the keytool command:
<MW_HOME>/jdk160_24/bin/keytool -import -keystore <MW_HOME>\user_projects\domains\<your domain>\config\fmwconfig\ovd\default\keystores/adapters.jks -storepass <KeyStore password> -alias <alias of your choice> -file <Certificate filename>
14. Restart WebLogic


The LDAP over SSL problems in Oracle SOA 11.1.1.7 are solved!

Regards,

Orlin Stoyanov

PS: We also experience problem with some composite which are not visible in Enterprise Manager under soa-infra. Everyone who know how to fix this problem is welcome.

Tagged:
This discussion has been closed.