ODSM Connection To OVD 11g Via SSL Using Self-Signed VIP/LBR Certificate Fails With: "Server <loadbalancerhostname>:<port> has failed SSL verification." (Doc ID 1314533.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Virtual Directory - Version 11.1.1.2.0 and later
Information in this document applies to any platform.

Symptoms

Scenario:
Created a self-signed certificate for the Virtual IP (VIP) / Load Balancer (LBR) for one of the Oracle Virtual Directory (OVD) 11g servers (i.e., ovd1) from Enterprise Manager.  Then used keytool -importkeystore to import this keystore from this ovd1 server to the second OVD server (ovd2) on the other system. Configured OVD Administrator port (i.e., 8444) for server side authentication SSL with the keystore on both OVD servers and bounced servers.  Also changed Weblogic Server (WLS) and Oracle Directory Services Manager (ODSM) wls_ods1 Managed Server for Host Verifications set to 'None' and bounced both Admin and Managed server wls_ods1.

However, whenever going to ODSM and trying to create a connection to OVD using the VIP, i.e., 'myloadbalancer.mycompany.com' address, ODSM returns error:

Server myloadbalancer.mycompany.com:8444 has failed SSL verification. This may be due to a host address or port problem or trust could not be verified or was declined.


The $FMW_HOME/user_projects/domains/IDM_DOMAIN/servers/wls_ods1/logs/wls_ods1-diagnostic.log shows:

[2011-04-14T22:58:55.037-06:00] [wls_ods1] [NOTIFICATION] [] [oracle.ldap.odsm.model.oid.ODSMSSLSocketFactory] [tid: [ACTIVE].ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: ad793a1f99d04f77:-27782eba:12f56960b60:-8000-0000000000000c7b,0] [APP: odsm#11.1.1.2.0] Connection could not be established for handshake
[2011-04-14T22:58:55.039-06:00] [wls_ods1] [ERROR] [] [oracle.ldap.odsm.ui.common.Login] [tid: [ACTIVE].ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: ad793a1f99d04f77:-27782eba:12f56960b60:-8000-0000000000000c7b,0] [APP: odsm#11.1.1.2.0] [ODSM-00007] SSL connection failed.
[2011-04-14T22:58:55.040-06:00] [wls_ods1] [ERROR] [] [oracle.ldap.odsm.ui.common.Login] [tid: [ACTIVE].ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: ad793a1f99d04f77:-27782eba:12f56960b60:-8000-0000000000000c7b,0] [APP: odsm#11.1.1.2.0] Connection refused[[
java.net.ConnectException: Connection refused

at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
at java.net.Socket.connect(Socket.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:559)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:360)
at com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:71)
at oracle.ldap.odsm.model.oid.ODSMSSLSocketFactory.getServerCert(ODSMSSLSocketFactory.java:209)
at oracle.ldap.odsm.ui.common.Login.createTrustConnection(Login.java:798)
at oracle.ldap.odsm.ui.common.Login.saveChanges(Login.java:219)
...<etc,etc>...


The AdminServer log (IDM_DOMAIN.log) also shows the same SSL error of 'Connection Refused':

####<Apr 14, 2011 10:58:55 PM MDT> <Error> <oracle.ldap.odsm.ui.common.Login> <ovd1.mycompany.com> <wls_ods1> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <ad793a1f99d04f77:-27782eba:12f56960b60:-8000-0000000000000c7b> <1302843535039> <BEA-000000> < [ODSM-00007] SSL connection failed.>
####<Apr 14, 2011 10:58:55 PM MDT> <Error> <oracle.ldap.odsm.ui.common.Login> <ovd1.mycompany.com> <wls_ods1> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <ad793a1f99d04f77:-27782eba:12f56960b60:-8000-0000000000000c7b> <1302843535040> <BEA-000000> <Connection refused
java.net.ConnectException: Connection refused



When trying to connect to ODSM by specifying the physical OVD server names for both nodes, then it presents each server certificate which, when accepted, it allows to successfully signed in.  However, after backed up and removed ODSM keystore and bounced 'wls_ods1' server, when trying to access each server by their physical names, get presented with a server cert such as 'server: ovd1.mycompany.com' but the Issuer and Signer are both the VIP 'myloadbalancer.mycompany.com'.  If accepting it only for 'this session', then it successfully logs into ODSM console to allows to manage OVD.

Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms