My Oracle Support Banner

OVD 11g After Configuring a New OVD Listener for SSL and Selecting "All" Cipher Suites in EM, OVD Fails to Start with: Cannot start Oracle Virtual Directory server: Cannot support TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers. (Doc ID 1603828.1)

Last updated on AUGUST 18, 2022

Applies to:

Oracle Virtual Directory - Version 11.1.1.1.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Virtual Directory (OVD) 11g, i.e., 11.1.1.7.0

Trying to apply SSL/TLS security settings within OVD.

Issue #1:

Steps to reproduce:

Login by Enterprise Manager:  http://<host>:7001/em

Create a new OVD listener on new ports (reference <Document 1210784.1>).

Go to Enterprise Manager (EM) Fusion Middleware (FMW) Control console > Farm_IDMDomain -> Identity and Access -> ovd1 -> Administration -> Listeners.

Create "LDAP SSL Endpoint2" on new port 7502.

Edit New Listener - LDAP SSL Endpoint2:
 Change SSL Settings > Enable SSL checked
 Choose SSL Authentication > Server authentication

 Select "All" Cipher Suites:
       SSL_RSA_WITH_RC4_128_MD5
       SSL_RSA_WITH_RC4_128_SHA
       TLS_RSA_WITH_AES_128_CBC_SHA
       TLS_RSA_WITH_AES_256_CBC_SHA
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
       SSL_RSA_WITH_3DES_EDE_CBC_SHA
       SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
       SSL_RSA_WITH_DES_CBC_SHA
       SSL_DHE_RSA_WITH_DES_CBC_SHA
       SSL_RSA_EXPORT_WITH_RC4_40_MD5
       SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
       SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
       SSL_RSA_WITH_NULL_MD5
       SSL_RSA_WITH_NULL_SHA

Select "All" protocols:
       v1
       v3
       v2Hello

Shutdown Target /Farm_IDMDomain/asinst_1/ovd1.

Then Start Target /Farm_IDMDomain/asinst_1/ovd1.

It fails with following error, also reported in the $ORACLE_INSTANCE/diagnostics/logs/OVD/ovd1/diagnostic.log:

Cannot start Oracle Virtual Directory server: Cannot support TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers.
Supplemental Detail java.lang.IllegalArgumentException: Cannot support TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(CipherSuiteList.java:79)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.setEnabledCipherSuites(SSLServerSocketImpl.java:166)
at com.octetstring.vde.frontend.SocketListener.configureSSLParams(SocketListener.java:194)
at com.octetstring.vde.frontend.LDAP.doAllocatePort(LDAP.java:230)
at com.octetstring.vde.frontend.LDAP.startListener(LDAP.java:481)
at com.octetstring.vde.frontend.ListenerHandler.addListener(ListenerHandler.java:100)
at com.octetstring.vde.frontend.ListenerHandler.init(ListenerHandler.java:91)
at com.octetstring.vde.VDEServer.startServer(VDEServer.java:182)
at com.octetstring.vde.VDEServer.main(VDEServer.java:360)

 

Editing the Listener - LDAP SSL Endpoint2, and selecting SSL Authentication > No authentication (or Mutual Authentication), then Selecting "All" Cipher Suites, and Start Operation on target /Farm_IDMDomain/asinst_1/ovd1, it fails with the same error:

Cannot start Oracle Virtual Directory server: Cannot support TLS_DH_anon_WITH_AES_256_CBC_SHA with currently installed providers.
The AES_256 cipher needs to be installed and enabled in the current JVM.

Observation:  Doing the same steps but selecting "restart" ovd1 instead of "shutdown then start", the restart returns a "CompleteD Successfully" message, giving the impression that it is working, but still getting "Cannot start Oracle Virtual Directory server: Unsupported ciphersuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" in the log.



Note: This error may also affect libOVD. Example libovd enabled application log error:

...
Caused by: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 2 : myldaphost.example.com:636
at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.getLDAPContext(BackendJNDI.java:1164)
at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.getConnection(BackendJNDI.java:1027)
at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.getHolder(ConnectionHandle.java:470)
...
Caused by: javax.naming.CommunicationException: myldaphost.example.com:636 [Root exception is java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)

And warnings:

[2018-10-11T16:44:19.336+00:00] [bi_server] [WARNING] [LIBOVD-60174] [oracle.ods.virtualization.engine.backend.jndi.DefaultAuthenticator.BackendJNDI] [tid: LibOVD Timer] [userId: <anonymous>] [ecid: <ecid string>] [APP: bi-security] [partition-name: DOMAIN] [tenant-name: GLOBAL] Remote server unreachable and marked inactive: <IP address>:5,001.

 

 

Issue #2:

After properly installing/upgrading the local_policy.jar and US_export_policy.jar using the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, restarting all processes, then creating a new keystore and certificate from within OVD, creating a new OVD SSL Listener, and selecting TLS_RSA_WITH_AES_256_CBC_SHA as the cipher, OVD fails with start and returns the same error:

Cannot start Oracle Virtual Directory server: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers.

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.