4 Replies Latest reply: Aug 21, 2012 10:23 PM by 957086 RSS

    failure to negotiate SSL connection with component obtool

    525819
      Hi,

      I installed 2 instances of OSB 10.3 on two different hosts (both are administrative servers, one of them is a media server). One of the servers have had a client OSB installation, then I un-installed it (remove repository and the main directory), then installed again as administrative server. Now I want them to get acquainted. When I try to mkhost on one host to create an entry about the other one, there is an error:
      ob> mkhost -a ob -o -r admin,client oraserv2
      Error: can't connect to OB host oraserv2 - failed to validate certificate

      Watching the same time observiced.log on oraserv2 yields me two new lines:
      failure to negotiate SSL connection with component obtool on fd 8 - SSL fatal alert during negotation (FSP Oracle network security functions)
      i.e. the servers do communicate, but without success. Symmetrically, the same problem occurs when I run mkhost command on oraserv2.

      What could be wrong?

      I learned by reading this forum that SSL certificate might become old (or invalid... ), and that creates such a problem. How can I reset the host certificate, if that is the problem? Actually, which one is invalid -- since there are two hosts and two certificates?

      Thanks,
      Dmitry.

      Edited by: user522816 on Jul 20, 2010 8:28 AM
        • 1. Re: failure to negotiate SSL connection with component obtool
          rdoogan-Oracle
          A client can only belong to one admin server, so the admin server is its own client. So typically you would just have one admin host to control the whole domain and the other machines would be clients and/or clients and media servers.

          Rich
          • 2. Re: failure to negotiate SSL connection with component obtool
            525819
            Hi,

            Thanks a lot, it does explain my problem.
            Following your suggestion, I reconfigured oraserv2 to be a client (via the full uninstall, taking options to remove both admin and OSB directory). Now an attempt to perform the same mkhost command from the admin server "oraserv" results in another malfunctioning:

            On oraserv (the admin), obtool loops forever printing "+Info: waiting for host to update certification status...+"
            On oraserv2 (the client), observiced.log each minute gets new message "+unexpected certification failure! - observiced not running (OB connection mgr)+". Of course, observiced is running (verified via "ps" and "/etc/init.d/observiced status") and is listening port 400 (verified using lsof -p <pid>)

            .hostid file correctly lists both hosts:

            cat /usr/etc/ob/.hostid
            my host uuid:               7e9f8682-1348-102d-aa23-080020e69686
            admin host uuid:            16d923f6-7611-102d-9d1a-18a90576fc94
            admin host ip:              oraserv
            cert key size:              1024
            distinguished name:         CN=7e9f8682-1348-102d-aa23-080020e69686,O=Oracle,C=US



            Any suggestions?

            Thanks already,
            Dmitry.

            Edited by: user522816 on Jul 20, 2010 2:49 PM
            • 3. Re: failure to negotiate SSL connection with component obtool
              525819
              Hi,

              Configuring the OSB record for oraserv with its real IP address solved the second problem.

              Cheers,
              Dmitry
              • 4. Re: failure to negotiate SSL connection with component obtool
                957086
                you're right, because you can use 'cat /usr/etc/ob/.hostid' command on the osbsrv2 machine
                cat /usr/etc/ob/.hostid
                my host uuid: 74d2bf7e-cc56-102f-aa6b-005056b5692c
                admin host uuid: 74d2bf7e-cc56-102f-aa6b-005056b5692c
                admin host ip: yj_data
                cert key size: 1024
                distinguished name: CN=74d2bf7e-cc56-102f-aa6b-005056b5692c,O=Oracle,C=US

                we can see the admin host ip is not real ip,so you must modify /etc/hosts on the osbsrv2 and add ip message

                everything will be ok!

                dear

                Will