EUS: ORA-28030 error with CONNECT/DISCONNECT in OUD logs

You may face the following issue with EUS and OUD. When trying to authenticate using sqlplus, the authentication fails and sqlplus displays:

ORA-28030: Server encountered problems accessing LDAP directory service

Unfortunately, OUD access logs do not help a lot as you can find only the following:

[23/Feb/2016:13:48:29 +0100] CONNECT conn=73 from=10.166.139.54:30238 to=10.166.139.64:1636 protocol=LDAPS
[23/Feb/2016:13:48:29 +0100] DISCONNECT conn=73 reason="Client Disconnect"

 

This type of error happens when the database is not able to find its credentials in its wallet. To troubleshoot, first check which wallet is picked by the database, then make sure that the wallet contains the DN and password for the database.

  1. Enable the database logs to find the wallet location
    Edit $ORACLE_HOME/network/admin/sqlnet.ora and add the following lines:

    DIAG_ADR_ENABLED=OFF
    TRACE_DIRECTORY_SERVER=/path/to/logs/server
    TRACE_LEVEL_SERVER=16
    TRACE_LEVEL_CLIENT=16
    TRACE_DIRECTORY_CLIENT=/path/to/logs/client
    
    
  2. run the sqlplus command and examine the logs in /path/to/logs/server. They will contain references to WALLET_LOCATION and display the path used to find the wallet.
  3. If the path is not consistent with your expectations (by default the wallet is in $ORACLE_BASE/admin/$ORACLE_SID/wallet), edit $ORACLE_HOME/network/admin/sqlnet.ora and add the following lines:
    WALLET_LOCATION =
      (SOURCE =
        (METHOD = FILE)
        (METHOD_DATA =
          (DIRECTORY = /path/to/db/wallet)
        )
      )
    
    
  4. Make sure that the specified wallet is an auto-login wallet (the wallet directory must contain a cwallet.sso file):
    $ ls /path/to/db/wallet
    cwallet.sso ewallet.p12
  5. Make sure that the specified wallet contains a DN and password for the database (they were generated by dbca when the database was registered in the LDAP server):
    $ mkstore -wrl /path/to/db/wallet -viewEntry ORACLE.SECURITY.DN
    Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
    Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
    Enter wallet password: ******** 
    ORACLE.SECURITY.DN = cn=orcl11gr2,cn=OracleContext,dc=eusovd,dc=com
    
    $ mkstore -wrl /path/to/db/wallet -viewEntry ORACLE.SECURITY.PASSWORD
    Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
    Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
    Enter wallet password: ******** 
    ORACLE.SECURITY.PASSWORD = <password generated by dbca>
    
    
  6. If it is not the case, you can re-run dbca and choose to generate a new password. dbca will then create the ORACLE.SECURITY.DN and ORACLE.SECURITY.PASSWORD entries in the wallet.
Advertisements

4 thoughts on “EUS: ORA-28030 error with CONNECT/DISCONNECT in OUD logs”

  1. Thanks for the great article and helped me narrow down our issue. We still had the same connect/disconnect issue after going through all of the steps above. The other item that needed to be done in our case was add both OUD servers to into the /etc/hosts file on the db server. An alternative to this (just haven’t tested it yet) is to configure forward and reverse lookups for the OUD hosts in DNS.

    Like

  2. Hi Blanc, I tried to create wallet using orapki and added self-signed certificate of OUD to database. But I still getting same issue.

    [oracle@MSCLIN104:/home/oracle] > sqlplus user.1@oudtest

    SQL*Plus: Release 12.2.0.1.0 Production on Fri Sep 7 12:23:44 2018

    Copyright (c) 1982, 2016, Oracle. All rights reserved.

    ERROR:
    ORA-28030: Server encountered problems accessing LDAP directory service

    Enter user-name: ^C

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s