OAM SSO Login Failure Due To Missing Communication Protocol With LDAP

Share on:

After the recent quarterly security patching on your OAM environment, you might have found out that a routine sanity check fails with SSO login errors.

At a first glance, you might be tempted to believe that there is something wrong with LDAP.

However, the underlying cause can be attributed to the TLS 1.2 requirements mandated for OAM version 11.1.2.3 and beyond. With older version of TLS in use by default, OAM failed to communicate with LDAP server which triggered authentication/authorization issues.

 

Analysis

==> wls_oam2-diagnostic.log <==

[2022–08–07T00:25:25.765–04:00] [wls_oam2] [NOTIFICATION] [] [oracle.ods.virtualization.engine.backend.jndi.adapter1] [tid: [ACTIVE].ExecuteThread: ‘17’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: <anonymous>] [ecid: 005tPwJxD_TEwGKayTaeMG0000tm00000V,0:1:4:1:4] [APP: oam_server] [partition-name: DOMAIN] [tenant-name: ****] Priming the connection pool.ldap://directory.****.ca:636
[2022–08–07T00:25:25.774–04:00] [wls_oam2] [WARNING] [LIBOVD-60024] [oracle.ods.virtualization.engine.backend.jndi.adapter1] [tid: [ACTIVE].ExecuteThread: ‘17’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: <anonymous>] [ecid: 005tPwJxD_TEwGKayTaeMG0000tm00000V,0:1:4:1:4] [APP: oam_server] [partition-name: DOMAIN] [tenant-name: ****] Connection error: simple bind failed: directory.****.ca:636.

==> wls_oam2.out <==

<Aug 7, 2022 12:25:25,774 AM EDT> <Warning> <oracle.ods.virtualization.engine.backend.jndi.adapter1> <LIBOVD-60024> <Connection error: simple bind failed: directory.****.ca:636.>

 

Solution

If you are using OAM 12.2.1.3 or higher, you would need to export oam-config.xml file from database, make changes as required, import it back to the database.

Follow the steps below –

1. Create a “prop.properties” file under /home/oracle

2. The file should have entries as mentioned in Doc ID 2310234.1 :

oam.entityStore.ConnectString=jdbc:oracle:thin:@<DB_HOSTNAME>:<DB_PORT>/<SERVICE_NAME>
oam.entityStore.schemaUser=<OAM_SCHEMA_NAME>
oam.entityStore.schemaPassword=<OAM_SCHEMA_PASSWORD>
oam.importExportDirPath=<DIRECTORY_PATH>
oam.frontending=params=WebLogicHost:OAMManagedServerPort:http(s)

3. Set your environment to point to $ORACLE_HOME(OAM Oracle Home path), $DOMAIN_HOME(OAM Domain Home path), $JAVA_HOME

4. Use this command to export oam-config.xml file:

<JAVA_HOME>/bin/java -cp <ORACLE_HOME>/idm/oam/server/tools/config-utility/config-utility.jar:<ORACLE_HOME>/oracle_common/modules/oracle.jdbc/ojdbc8.jar oracle.security.am.migrate.main.ConfigCommand $DOMAIN_HOME export <FILE_LOCATION>/prop.properties

5. Update oam-config.xml file created in the directory path of “prop.properties”, below the line containing “name_ldap_prod” with below mentioned entry:

<Setting Name=”LDAP_SSL_PROTOCOL” Type=”xsd:string”>TLSv1.2</Setting>

6. Import the modified file using the command of Step 4, replacing the export with import

7. Restart OAM Managed Servers and the Admin Server

Now, the OAM SSO will readily accept the password you enter, provided it is the correct one!

Share on:
Back to Top