After a typical Oracle Forms installation, it is recommended to sign custom JAR files, including jacob.jar to avoid Java run time warning messages. ... Read More
OAM SSO Login Failure Due To Missing Communication Protocol With LDAP
After the recent quarterly security patching on your OAM environment, you might have found out that a routine sanity check fails with SSO login errors.
At a first glance, you might be tempted to believe that there is something wrong with LDAP.
However, the underlying cause can be attributed to the TLS 1.2 requirements mandated for OAM version 220.127.116.11 and beyond. With an older version of TLS in use by default, OAM failed to communicate with the LDAP server which triggered authentication/authorization issues.
The issue can be verified from the error messages captured in wls_oam(n)-diagnostic.log and wls_oam(n).out –
==> wls_oam2-diagnostic.log <== [2022–08–07T00:25:25.765–04:00] [wls_oam2] [NOTIFICATION]  [oracle.ods.virtualization.engine.backend.jndi.adapter1] [tid: [ACTIVE].ExecuteThread: ‘17’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: <anonymous>] [ecid: 005tPwJxD_TEwGKayTaeMG0000tm00000V,0:1:4:1:4] [APP: oam_server] [partition-name: DOMAIN] [tenant-name: ****] Priming the connection pool.ldap://directory.****.ca:636 [2022–08–07T00:25:25.774–04:00] [wls_oam2] [WARNING] [LIBOVD-60024] [oracle.ods.virtualization.engine.backend.jndi.adapter1] [tid: [ACTIVE].ExecuteThread: ‘17’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: <anonymous>] [ecid: 005tPwJxD_TEwGKayTaeMG0000tm00000V,0:1:4:1:4] [APP: oam_server] [partition-name: DOMAIN] [tenant-name: ****] Connection error: simple bind failed: directory.****.ca:636. ==> wls_oam2.out <== <Aug 7, 2022 12:25:25,774 AM EDT> <Warning> <oracle.ods.virtualization.engine.backend.jndi.adapter1> <LIBOVD-60024> <Connection error: simple bind failed: directory.****.ca:636.>
The LDAP Profile section of oam-config.xml file needs to be modified to reflect the mode of communication between OAM and LDAP server i.e. TLS 1.2.
If you are using OAM 18.104.22.168 or higher, you would need to export oam-config.xml file from the database, make changes as required, and import it back into the database.
Follow the steps below –
1. Create a “prop.properties” file under /home/oracle
2. The file should have entries as mentioned in Doc ID 2310234.1 :
oam.entityStore.ConnectString=jdbc:oracle:thin:@<DB_HOSTNAME>:<DB_PORT>/<SERVICE_NAME> oam.entityStore.schemaUser=<OAM_SCHEMA_NAME> oam.entityStore.schemaPassword=<OAM_SCHEMA_PASSWORD> oam.importExportDirPath=<DIRECTORY_PATH> oam.frontending=params=WebLogicHost:OAMManagedServerPort:http(s)
3. Set your environment to point to $ORACLE_HOME(OAM Oracle Home path), $DOMAIN_HOME(OAM Domain Home path), $JAVA_HOME
4. Use this command to export oam-config.xml file:
<JAVA_HOME>/bin/java -cp <ORACLE_HOME>/idm/oam/server/tools/config-utility/config-utility.jar:<ORACLE_HOME>/oracle_common/modules/oracle.jdbc/ojdbc8.jar oracle.security.am.migrate.main.ConfigCommand $DOMAIN_HOME export <FILE_LOCATION>/prop.properties
5. Update oam-config.xml file created in the directory path of “prop.properties”, below the line containing “name_ldap_prod” with below-mentioned entry:
<Setting Name=”LDAP_SSL_PROTOCOL” Type=”xsd:string”>TLSv1.2</Setting>
6. Import the modified file using the command of Step 4, replacing the export with import
7. Restart OAM Managed Servers and the Admin Server
Now, the OAM SSO will readily accept the password you enter, provided it is the correct one!
More from this Author
Following the installation of Oracle Fusion Middleware components, it is advisable to configure those as Windows operating system services. A typical ... Read More