Blogs

OAM SSO Login Failure Due To Missing Communication Protocol With LDAP

After the recent quarterly security patching on your OAM environment, you might have found out that a routine sanity check fails with SSO login errors.

At a first glance, you might be tempted to believe that there is something wrong with LDAP.

However, the underlying cause can be attributed to the TLS 1.2 requirements mandated for OAM version 11.1.2.3 and beyond. With an older version of TLS in use by default, OAM failed to communicate with the LDAP server which triggered authentication/authorization issues.

 

The Analysis

The issue can be verified from the error messages captured in wls_oam(n)-diagnostic.log and wls_oam(n).out –

==> wls_oam2-diagnostic.log <==

[2022–08–07T00:25:25.765–04:00] [wls_oam2] [NOTIFICATION] [] [oracle.ods.virtualization.engine.backend.jndi.adapter1] [tid: [ACTIVE].ExecuteThread: ‘17’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: <anonymous>] [ecid: 005tPwJxD_TEwGKayTaeMG0000tm00000V,0:1:4:1:4] [APP: oam_server] [partition-name: DOMAIN] [tenant-name: ****] Priming the connection pool.ldap://directory.****.ca:636
[2022–08–07T00:25:25.774–04:00] [wls_oam2] [WARNING] [LIBOVD-60024] [oracle.ods.virtualization.engine.backend.jndi.adapter1] [tid: [ACTIVE].ExecuteThread: ‘17’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: <anonymous>] [ecid: 005tPwJxD_TEwGKayTaeMG0000tm00000V,0:1:4:1:4] [APP: oam_server] [partition-name: DOMAIN] [tenant-name: ****] Connection error: simple bind failed: directory.****.ca:636.

==> wls_oam2.out <==

<Aug 7, 2022 12:25:25,774 AM EDT> <Warning> <oracle.ods.virtualization.engine.backend.jndi.adapter1> <LIBOVD-60024> <Connection error: simple bind failed: directory.****.ca:636.>

 

The Solution

The LDAP Profile section of oam-config.xml file needs to be modified to reflect the mode of communication between OAM and LDAP server i.e. TLS 1.2.

If you are using OAM 12.2.1.3 or higher, you would need to export oam-config.xml file from the database, make changes as required, and import it back into the database.

Follow the steps below –

1. Create a “prop.properties” file under /home/oracle

2. The file should have entries as mentioned in Doc ID 2310234.1 :

oam.entityStore.ConnectString=jdbc:oracle:thin:@<DB_HOSTNAME>:<DB_PORT>/<SERVICE_NAME>
oam.entityStore.schemaUser=<OAM_SCHEMA_NAME>
oam.entityStore.schemaPassword=<OAM_SCHEMA_PASSWORD>
oam.importExportDirPath=<DIRECTORY_PATH>
oam.frontending=params=WebLogicHost:OAMManagedServerPort:http(s)

3. Set your environment to point to $ORACLE_HOME(OAM Oracle Home path), $DOMAIN_HOME(OAM Domain Home path), $JAVA_HOME

4. Use this command to export oam-config.xml file:

<JAVA_HOME>/bin/java -cp <ORACLE_HOME>/idm/oam/server/tools/config-utility/config-utility.jar:<ORACLE_HOME>/oracle_common/modules/oracle.jdbc/ojdbc8.jar oracle.security.am.migrate.main.ConfigCommand $DOMAIN_HOME export <FILE_LOCATION>/prop.properties

5. Update oam-config.xml file created in the directory path of “prop.properties”, below the line containing “name_ldap_prod” with below-mentioned entry:

<Setting Name=”LDAP_SSL_PROTOCOL” Type=”xsd:string”>TLSv1.2</Setting>

6. Import the modified file using the command of Step 4, replacing the export with import

7. Restart OAM Managed Servers and the Admin Server

Now, the OAM SSO will readily accept the password you enter, provided it is the correct one!

More from this Author