For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!
Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.
While opening the DBaas Monitor Console, I am getting the error - 'Server has a weak ephemeral Diffie-Hellman public key'. Though I am able to connect to the cloud Database without any issues.
Regards,
Samar
I was using Google Chrome and got this error. I got initially misled by this error as I was not very confident about the public key.
I however do not get it in Firefox.
Cheers!!
Hi Samar,
This is a change in the Google Chrome (and others) browser, essentially to plug a security hole in the Diffie-Hellman Key Exchange protocol.
My understating is that Google took the decision to prevent accepting ciphers which were susceptible to the security hole, which is great in one sense, but in doing that they rendered many sites unaccessible (until the website operators fixed the issue on their side).
For us - this means (I believe) that we need to either -
1) Use a different browser (such as IE), which has not yet blocked the affected keys
2) Update the DBaaS console / Glassfish etc to not use those ciphers
3) Wait for Oracle to fix and release new images
I had a go at doing 2 last week and thought I had it working, but then found I'd broken it under certain circumstances - if I get it working I'll do a blog post on what I had to change.
Hope this helps
John
--------------------------------------------
Blog: http://jes.blogs.shellprompt.net
Work: http://www.apex-evangelists.com
as the opc user
cd /u01/app/oracle/product/glassfish3/bin
./asadmin set 'configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl3-tls-ciphers=+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA'
./asadmin set 'configs.config.server-config.network-config.protocols.protocol.sec-admin-listener.ssl.ssl3-tls-ciphers=+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA'
then bounce glassfish using the dbaascli tool
fixed by the end of the month in the new base images.
The above fix does work.
Just one note:
bounce glassfish using dbaascli tool - with user root only.
Otherwise error:
-bash-4.1$ dbaascli glassfish stop
mkdir: cannot create directory `/var/opt/oracle/log/dbaascli/': Permission denied
DBAAS CLI version 1.0.0
Executing command glassfish stop
Unable to run command. This command should be run as user: oracle or root. Currently: opc
dbaascli glassfish stop and start commands appear to work under root, but dbaascli glassfish status fails:
bash-4.1# dbaascli glassfish status
Executing command glassfish status
Calculating the status and metrics:
Authentication failed for user: admin
with password from password file: /u01/app/oracle/product/glassfish3/bin/statuspwd.txt
(Usually, this means invalid user name and/or password)
domain1 running
Command list-domains executed successfully.
Command list-http-listeners failed.
Command uptime failed.
I wonder what the reason is for using the dbaascli tool instead of bouncing via init.d ?
/etc/init.d/glassfish start/stop/restart
Running it as the Oracle user worked for me -
[oracle@OC1 ~]$ dbaascli glassfish stop
Starting the GlassFish domain1
Environment variable GLASSFISH_HOME not set
Waiting for the domain to stop ..
Command stop-domain executed successfully.
[oracle@OC1 ~]$ dbaascli glassfish start
Executing command glassfish start
Waiting for domain1 to start ...........
Successfully started the domain : domain1
domain Location: /u01/app/oracle/product/glassfish3/glassfish/domains/domain1
Log File: /u01/app/oracle/product/glassfish3/glassfish/domains/domain1/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.
in firefox
Go to about:config
search for
security.ssl3.dhe_rsa_aes_128_sha and
security.ssl3.dhe_rsa_aes_256_sha
change to false
DO NOT ALTER THE SECURITY SETTINGS IN YOUR BROWSER
This is a VERY bad idea for it opens you up to multiple attack vectors.
I have given you the solution and can provide a UI way as well if needed.