How To Configure OVD Adapter To Failover When SSL Connection To Primary Host Fails Due To Server Private Key Changes? How To Configure OVD Adapter With Root CA Instead of Server Certificate? (Doc ID 1111630.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Virtual Directory - Version 10.1.4.3 and later
Information in this document applies to any platform.

Goal

Oracle Virtual Directory (OVD) 10g / 10.1.4.3.0 or 11g.

Scenario:
When the remote / backend host server private key certificate is updated, the connection fails with error, for example:

Unable to create connection to ldap://myremotehost.mycompany.com:636 as cn=myuser,OU=MyOU,DC=mycompany,DC=com WorkThread# 13
javax.naming.CommunicationException: simple bind failed: myremotehost.mycompany.com:636 Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
  at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:198)


Or for example, if the certificate expired:

[2011-06-16 20:00:19,624] [#Primary AD LDAP Adapter] Unable to create connection to ldap://<Backend Server IPaddress>:<SSL port> as <username>
javax.naming.CommunicationException: simple bind failed: <Backend Server IPaddress>:<SSL Port> [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Thu Jun 16 19:59:59 EDT 2011]


In 11g, the log may show:

[2012-02-15T12:39:58.925-05:00] [octetstring] [ERROR] [OVD-60143] [com.octetstring.vde.backend.jndi.OAM-Sunone-Users.BackendJNDI] [tid: 43] [ecid: 0000JM26Mp7EwGWjLxMMOA1F57lX00P94c,0] [arg: [#OAM-Sunone-Users].] [arg: ldap://[host1.mycompany.com]:2636] [arg: uid=ovdadmin,ou=apps,dc=mycompany,dc=com] [#OAM-Sunone-Users] Unable to create connection to ldap://[host1.mycompany.com]:2636 as uid=ovdadmin,ou=apps,dc=mycompany,dc=com.[[
javax.naming.CommunicationException: simple bind failed: host1.mycompany.com:2636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]



When this occurs the adapter does not failover to use the other remote nodes that are defined in the ldap adapter.

In looking to avoid this problem:

1.  How to configure the adapter to failover to the other servers when the connection to the primary host fails due server private key certificate changes?

2.  How to configure the adapters to use the Root Public key so the public keys do not need to be updated everytime the source private key certificate gets updated?

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms