10 Replies Latest reply on Nov 11, 2015 1:26 AM by GUGGI

    Oracle OPMN is not getting started after changing opmn.xml

    3066272

      I have followed the instructions from the Oracle Support Note 1937646.1 to mitigate the SSLV3 POODLE Vulnerability in Oracle Applications 12.1.2. As per instructions given, I have changed the following section in the file opmn.xml:

       

      Changed the following:

       

      <ssl enabled="true" wallet-file="/p02/oracle/JVPROD/inst/apps/JVPROD_xa-ccusdlc01/certs/opmn"/>

       

      to

       

      <ssl enabled="true" wallet-file="/p02/oracle/JVPROD/inst/apps/JVPROD_xa-ccusdlc01/certs/opmn" ssl-versions="TLSv1.0"

         ssl-ciphers="SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

       

      After changing, when I restart the OPMN, the following errors are coming:

       

      In line 22 of /p02/oracle/JVPROD/inst/apps/JVPROD_xa-ccusdlc01/ora/10.1.3/opmn/conf/opmn.xml:

      LSX-00026: unknown attribute "ssl-versions"

        LSX-00026: unknown attribute "ssl-ciphers"

          LSX-00213: only 0 occurrences of particle "sequence", minimum is 1

      XML schema validation failed: error 213.

      opmnctl: opmn.xml validation failed.

       

      Any help regading the same would be highly appreciated.

        • 1. Re: Oracle OPMN is not getting started after changing opmn.xml
          Pravin Takpire

          this may be because of some space and syntax in  file.

          Please try as below

          <ssl enabled="true"

          wallet-file="/p02/oracle/JVPROD/inst/apps/JVPROD_xa-ccusdlc01/certs/opmn" ssl-versions="TLSv1.0"

          ssl-ciphers="SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

           

          regards

          Pravin

          • 2. Re: Oracle OPMN is not getting started after changing opmn.xml
            3066272

            Thanks Pravin for your response.

             

            I have changed the file, as per your suggestions. But the same error is coming up. Any other suggestions please?

             

            Regards,

            Souvik

            • 3. Re: Oracle OPMN is not getting started after changing opmn.xml
              Jignesh Makwana

              Hello,

               

              What is the FMW_HOME version?

               

              Please check below note for detail

              New SSL Protocol and Cipher Options for Oracle Fusion Middleware's OPMN/ONS Component (Doc ID 1905314.1)


              Jignesh

              • 4. Re: Oracle OPMN is not getting started after changing opmn.xml
                3066272

                Hi Jignesh,

                 

                Thanks a lot for the reference note.

                 

                My FMW_HOME version is: 10.1.3.4.0. Will it possible for me to change the SSL version and ciphers without upgrading my FMW_HOME version to 10.1.3.5 ?

                 

                Regards,

                Souvik.

                • 5. Re: Oracle OPMN is not getting started after changing opmn.xml
                  GUGGI

                  Hi

                   

                  I am not sure why the opmn.xml needs to be updated. I have disabled sslv3 in our environment and all I did was the following.

                   

                  Open ssl.conf file under $INST_TOP/ora/10.1.3/Apache/Apache/conf

                  Current parameters :

                  SSLProtocol    -all +TLSv1 +SSLv3

                  SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

                  Change them to :

                  #SSLProtocol    -all +TLSv1 +SSLv3

                  SSLProtocol all -SSLv2 -SSLv3

                  SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

                  Run Autoconfig

                   

                  After I have done this, I used a ssl analyzer tool to validate the ciphers that were being allowed and I could see that sslv3 ciphers were no longer allowed.

                   

                  It allowed TLSv1 which was the preferred one.

                   

                  Amit

                  • 6. Re: Oracle OPMN is not getting started after changing opmn.xml
                    3066272

                    Thanks Amit for your response!

                     

                    I did the same, as suggested by you. But I think it's still using SSLv3 protocol. Please find below image of the connection details in my environment, when I open the instance's home page(screenshot from Mozila browser):

                     

                    SSL.jpg

                    Amit - could you please let me know, how you are confirmed, that TLSv1 is getting in your environment?

                     

                    Regards,

                    Souvik

                    • 7. Re: Oracle OPMN is not getting started after changing opmn.xml
                      GUGGI

                      Hi Souvik,

                       

                      I had downloaded a ssl analyzer tool called sslyze-0_11-windows.zip

                       

                      After unzipping it , I ran the following command ,

                      C:\Data\ssla\sslyze>sslyze.exe --regular suppliertest.au.baesystems.com:443

                       

                      In the output I see ,

                        * SSLV2 Cipher Suites:

                            Server rejected all cipher suites.

                        * TLSV1_2 Cipher Suites:

                            Accepted:

                        * TLSV1 Cipher Suites:

                            Accepted:

                                       DES-CBC3-SHA                  -              112 bits      HTTP

                      302 Found - https://suppliertest.au.baesystems.com:443/OA_HTML/AppsLogin

                       

                        * SSLV3 Cipher Suites:

                            Server rejected all cipher suites.

                       

                      SCAN COMPLETED IN 4.38 S

                      ------------------------

                       

                      Looking at the document 1937646.1 again , it sort of suggests that even the ompn.xml change is needed. But I have not been questioned anymore on whatever I have done to take care of poodle vulnerability. My second assurance has been that we have A10 device in front and that has been configured to not allow sslv2/3 traffic.

                       

                      See what sort of results u get after running the tool.

                       

                      Amit

                      • 8. Re: Oracle OPMN is not getting started after changing opmn.xml
                        3066272

                        Hi Amit,

                         

                        I checked with the SSL analyzer tool that was provided by you. Below is the output of the same:

                         

                        -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

                          * TLSV1_1 Cipher Suites:

                              Server rejected all cipher suites.

                         

                         

                          * TLSV1 Cipher Suites:

                              Undefined - An unexpected error happened:

                                         SEED-SHA                            OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         RC4-SHA                             OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         RC4-MD5                             OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         NULL-SHA                            OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         NULL-MD5                            OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         IDEA-CBC-SHA                        OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EXP-RC4-MD5                         OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EXP-RC2-CBC-MD5                     OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EXP-EDH-RSA-DES-CBC-SHA             OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EXP-EDH-DSS-DES-CBC-SHA             OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EXP-DES-CBC-SHA                     OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EXP-ADH-RC4-MD5                     OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EXP-ADH-DES-CBC-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EDH-RSA-DES-CBC3-SHA                OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EDH-RSA-DES-CBC-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EDH-DSS-DES-CBC3-SHA                OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         EDH-DSS-DES-CBC-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDHE-RSA-RC4-SHA                   OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDHE-RSA-NULL-SHA                  OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDHE-RSA-DES-CBC3-SHA              OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDHE-RSA-AES256-SHA                OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDHE-RSA-AES128-SHA                OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDHE-ECDSA-RC4-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDHE-ECDSA-NULL-SHA                OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDHE-ECDSA-DES-CBC3-SHA            OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDHE-ECDSA-AES256-SHA              OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDHE-ECDSA-AES128-SHA              OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDH-RSA-RC4-SHA                    OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDH-RSA-NULL-SHA                   OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDH-RSA-DES-CBC3-SHA               OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDH-RSA-AES256-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDH-RSA-AES128-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDH-ECDSA-RC4-SHA                  OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDH-ECDSA-NULL-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDH-ECDSA-DES-CBC3-SHA             OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDH-ECDSA-AES256-SHA               OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ECDH-ECDSA-AES128-SHA               OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DHE-RSA-SEED-SHA                    OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DHE-RSA-CAMELLIA256-SHA             OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DHE-RSA-CAMELLIA128-SHA             OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DHE-RSA-AES256-SHA                  OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DHE-RSA-AES128-SHA                  OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DHE-DSS-SEED-SHA                    OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DHE-DSS-CAMELLIA256-SHA             OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DHE-DSS-CAMELLIA128-SHA             OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DHE-DSS-AES256-SHA                  OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DHE-DSS-AES128-SHA                  OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-RSA-SEED-SHA                     OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-RSA-DES-CBC3-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-RSA-DES-CBC-SHA                  OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-RSA-CAMELLIA256-SHA              OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-RSA-CAMELLIA128-SHA              OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-RSA-AES256-SHA                   OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-RSA-AES128-SHA                   OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-DSS-SEED-SHA                     OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-DSS-DES-CBC3-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-DSS-DES-CBC-SHA                  OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-DSS-CAMELLIA256-SHA              OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-DSS-CAMELLIA128-SHA              OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-DSS-AES256-SHA                   OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DH-DSS-AES128-SHA                   OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DES-CBC3-SHA                        OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         DES-CBC-SHA                         OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         CAMELLIA256-SHA                     OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         CAMELLIA128-SHA                     OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         AES256-SHA                          OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         AES128-SHA                          OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         AECDH-RC4-SHA                       OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         AECDH-NULL-SHA                      OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         AECDH-DES-CBC3-SHA                  OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         AECDH-AES256-SHA                    OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         AECDH-AES128-SHA                    OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ADH-SEED-SHA                        OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ADH-RC4-MD5                         OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ADH-DES-CBC3-SHA                    OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ADH-DES-CBC-SHA                     OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ADH-CAMELLIA256-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ADH-CAMELLIA128-SHA                 OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ADH-AES256-SHA                      OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                                         ADH-AES128-SHA                      OpenSSLError -

                        error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

                         

                         

                          * SSLV3 Cipher Suites:

                              Preferred:

                                         RC4-SHA                       -              128 bits      HTTP

                        200 OK

                              Accepted:

                                         RC4-SHA                       -              128 bits      HTTP

                        200 OK

                                         RC4-MD5                       -              128 bits      HTTP

                        200 OK

                                         EXP-RC4-MD5                   -              40 bits       HTTP

                        200 OK

                              Undefined - An unexpected error happened:

                                         EXP-DES-CBC-SHA                     SslError - Connection was s

                        hut down by peer

                                         EDH-RSA-DES-CBC3-SHA                SslError - Connection was s

                        hut down by peer

                                         EDH-RSA-DES-CBC-SHA                 SslError - Connection was s

                        hut down by peer

                                         DES-CBC3-SHA                        SslError - Connection was s

                        hut down by peer

                                         DES-CBC-SHA                         SslError - Connection was s

                        hut down by peer

                         

                         

                          * SSLV2 Cipher Suites:

                              Undefined - An unexpected error happened:

                                         RC4-MD5                             timeout - timed out

                         

                         

                                         EXP-RC4-MD5                         timeout - timed out

                         

                         

                        ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

                         

                        The about output means that it's ussing SSLv3 only. TLSv1 is getting rejected from the server. Not sure why it's happening.

                         

                        Your help would be appreciated.

                         

                        Thanks

                        Souvik

                        • 9. Re: Oracle OPMN is not getting started after changing opmn.xml
                          GUGGI

                          Hi

                           

                          I think now u r in the right direction as u can see that your server is not allowing TLS ciphers. This also proves that your config in e-business suite seems to be right.

                           

                          Are u using server hostname in your url or some kind of load balancer for your web url.

                           

                          If its a the hostname , check with the sys admins as to why the server is not allowing TLS ciphers. It could so be that they have not applied the poodle fix at the server level.

                           

                          Same thing goes for the load balancer .

                          We use A10 load balancer and the network admins have made sure the necessary fix is applied on the LB to not allow SSL ciphers.

                          I can check with my sys admins and get back to u regarding the TLS ciphers.

                           

                          Amit

                          • 10. Re: Oracle OPMN is not getting started after changing opmn.xml
                            GUGGI

                            Hi

                             

                            I think now u r in the right direction as u can see that your server is not allowing TLS ciphers. This also proves that your config in e-business suite seems to be right.

                             

                            Are u using server hostname in your url or some kind of load balancer for your web url.

                             

                            If its a the hostname , check with the sys admins as to why the server is not allowing TLS ciphers. It could so be that they have not applied the poodle fix at the server level.

                             

                            Same thing goes for the load balancer .

                            We use A10 load balancer and the network admins have made sure the necessary fix is applied on the LB to not allow SSL ciphers.

                            I can check with my sys admins and get back to u regarding the TLS ciphers.

                             

                            Amit