EUS and SSLv3 issues

Starting with JDK 7u75 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default. If your OUD server is running with JDK 7u75 or higher, you may experience issues with EUS when trying to authenticate:

ORA-28030: Server encountered problems accessing LDAP directory service

And OUD access log will display the following error:

[08/Jan/2016:10:43:13 +0100] CONNECT conn=26 from=10.166.139.54:48916 to=10.166.139.54:1636 protocol=LDAPS
[08/Jan/2016:10:43:13 +0100] DISCONNECT conn=26 reason="I/O Error" msg="Client requested protocol SSLv3 not enabled or not supported"

The proper method to fix this issue is to apply patch 19285025 on the database, which will fix the LDAP library used to perform the connection between the database and OUD and use another algorithm.

A quick workaround is to edit the file $JRE_HOME/lib/security/java.security and remove “SSLv3” from the line defining jdk.tls.disabledAlgorithms (on the machine where OUD runs, for the java version used by OUD), then stop and restart OUD. This will allow OUD to use SSLv3. Note that this workaround should not be applied in production as SSLv3 is obsolete and should not be used anymore. The correct fix is to patch the database.

Advertisements

Enterprise Manager Cloud Control and eusm issues: AuthenticationException

Enterprise Manager Cloud Control is a web-based interface that allows to administer Enterprise User Security. When connecting to  OUD server, the interface may complain about an invalid password even though the credentials are correct.

The same problem happens with eusm 12c (the command-line tool delivered with Oracle Database):

$ eusm listDomains realm_dn=dc=example,dc=com ldap_host=$ldap_host ldap_port=1389 ldap_user_dn="cn=directory manager" ldap_user_password=****
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

If OUD access log shows the following error:

The server was not able to find any user entries for the provided username of cn=directory manager

then the fix is provided in Oracle Identity Management Suite Bundle Patch 11.1.2.2.8 (22085294), or Oracle Identity Management Suite Bundle Patch 11.1.2.3.3 (22085274)  depending on your OUD version.

The connection method between Enterprise Manager Cloud Control and OUD (or eusm 12c and OUD) is using SASL/DIGEST-MD5 authentication instead of a simple BIND. SASL/DIGEST-MD5 requires the password to be stored in a reversible password storage scheme, which means that the additional configuration steps are also needed:

1/ identify the password policy applying to the user cn=directory manager

$ OracleUnifiedDirectory/bin/ldapsearch -h $ldap_host -p 4444 -X -Z -D "cn=directory manager" -w password -b "cn=directory manager,cn=root dns,cn=config" -s base "(objectclass=*)" ds-pwp-password-policy-dn
dn: cn=Directory Manager,cn=Root DNs,cn=config
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config

2/ modify the user’s password policy to use a reversible password storage scheme (AES for instance):

$ OracleUnifiedDirectory/bin/dsconfig set-password-policy-prop --policy-name "Root Password Policy" --set default-password-storage-scheme:AES --hostname $ldap_host --port 4444 -X -D "cn=directory manager" -j pwd.txt -n

3/ modify the user’s password to generate a new reversible password hash:

$ OracleUnifiedDirectory/bin/ldappasswordmodify -h $ldap_host -p 1389 -D "cn=directory manager" -w oldpwd  -c oldpwd -n newpwd
The LDAP password modify operation was successful

At this point, Enterprise Manager Cloud Control and eusm 12c will be able to authenticate to OUD and administer Enterprise User Security.

Welcome!

Identity Management is a central topic for many organisations. Each company has specific needs and challenges to address, and many choose to adopt Oracle Unified Directory as their LDAP server.

My name is Florence Blanc-Renaud, and I am working at Oracle as Software Development Engineer, in Oracle Unified Directory team. I am mainly focusing on OUD integration with Enterprise User Security, a really nice feature of Oracle Database allowing to authenticate to the database with credentials stored in OUD server.

My posts on this blog will describe deployment guidelines or technical tips for OUD and EUS. I hope you will find those helpful.

Please note that the views expressed on this blog are my own and do not necessarily reflect the view of Oracle.