ODSM Connection To OVD 11g Via SSL Using Self-Signed VIP/LBR Certificate Fails With: "Server <LOADBALANCER_HOSTNAME>:<PORT> has failed SSL verification."
(Doc ID 1314533.1)
Last updated on NOVEMBER 05, 2019
Applies to:
Oracle Virtual Directory - Version 11.1.1.2.0 and laterInformation in this document applies to any platform.
Symptoms
Scenario:
Created a self-signed certificate for the Virtual IP (VIP) / Load Balancer (LBR) for one of the Oracle Virtual Directory (OVD) 11g servers (i.e., ovd1) from Enterprise Manager. Then used keytool -importkeystore to import this keystore from this ovd1 server to the second OVD server (ovd2) on the other system. Configured OVD Administrator port for server side authentication SSL with the keystore on both OVD servers and bounced servers. Also changed Weblogic Server (WLS) and Oracle Directory Services Manager (ODSM) wls_ods1 Managed Server for Host Verifications set to 'None' and bounced both Admin and Managed server wls_ods1.
However, whenever going to ODSM and trying to create a connection to OVD using the VIP, i.e., '<LBR_HOSTNAME>' address, ODSM returns error:
The $FMW_HOME/user_projects/domains/<DOMAIN_NAME>/servers/wls_ods1/logs/wls_ods1-diagnostic.log shows:
[2011-04-14T22:58:55.039-06:00] [wls_ods1] [ERROR] [] [oracle.ldap.odsm.ui.common.Login] [tid: [ACTIVE].ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: <ECID>] [APP: odsm#11.1.1.2.0] [ODSM-00007] SSL connection failed.
[2011-04-14T22:58:55.040-06:00] [wls_ods1] [ERROR] [] [oracle.ldap.odsm.ui.common.Login] [tid: [ACTIVE].ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: <ECID>] [APP: odsm#11.1.1.2.0] Connection refused[[
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
at java.net.Socket.connect(Socket.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:559)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:360)
at com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:71)
at oracle.ldap.odsm.model.oid.ODSMSSLSocketFactory.getServerCert(ODSMSSLSocketFactory.java:209)
at oracle.ldap.odsm.ui.common.Login.createTrustConnection(Login.java:798)
at oracle.ldap.odsm.ui.common.Login.saveChanges(Login.java:219)
...<etc,etc>...
The AdminServer log (<DOMAIN_NAME>.log) also shows the same SSL error of 'Connection Refused':
####<Apr 14, 2011 10:58:55 PM> <Error> <oracle.ldap.odsm.ui.common.Login> <HOSTNAME> <wls_ods1> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <xxxxxx> <1302843535040> <BEA-000000> <Connection refused
java.net.ConnectException: Connection refused
When trying to connect to ODSM by specifying the physical OVD server names for both nodes, then it presents each server certificate which, when accepted, it allows to successfully signed in. However, after backed up and removed ODSM keystore and bounced 'wls_ods1' server, when trying to access each server by their physical names, get presented with a server cert such as 'server: <OVD_HOSTNAME1>' but the Issuer and Signer are both the VIP '<LBR_HOSTNAME>'. If accepting it only for 'this session', then it successfully logs into ODSM console to allows to manage OVD.
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |