OVD 11g After Configuring a New OVD Listener for SSL and Selecting "All" Cipher Suites in EM, OVD Fails to Start with: Cannot start Oracle Virtual Directory server: Cannot support TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers. (Doc ID 1603828.1)

Last updated on SEPTEMBER 19, 2016

Applies to:

Oracle Virtual Directory - Version 11.1.1.7.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Virtual Directory (OVD) 11g, i.e., 11.1.1.7.0

Trying to apply SSL/TLS security settings within OVD.

Issue #1:

Steps to reproduce:

Login by Enterprise Manager:  http://<host>:7001/em

Create a new OVD listener on new ports (reference <Document 1210784.1>).

Go to Enterprise Manager (EM) Fusion Middleware (FMW) Control console > Farm_IDMDomain -> Identity and Access -> ovd1 -> Administration -> Listeners.

Create "LDAP SSL Endpoint2" on new port 7502.

Edit New Listener - LDAP SSL Endpoint2:
 Change SSL Settings > Enable SSL checked
 Choose SSL Authentication > Server authentication

 Select "All" Cipher Suites:
       SSL_RSA_WITH_RC4_128_MD5
       SSL_RSA_WITH_RC4_128_SHA
       TLS_RSA_WITH_AES_128_CBC_SHA
       TLS_RSA_WITH_AES_256_CBC_SHA
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
       SSL_RSA_WITH_3DES_EDE_CBC_SHA
       SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
       SSL_RSA_WITH_DES_CBC_SHA
       SSL_DHE_RSA_WITH_DES_CBC_SHA
       SSL_RSA_EXPORT_WITH_RC4_40_MD5
       SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
       SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
       SSL_RSA_WITH_NULL_MD5
       SSL_RSA_WITH_NULL_SHA

Select "All" protocols:
       v1
       v3
       v2Hello

Shutdown Target /Farm_IDMDomain/asinst_1/ovd1.

Then Start Target /Farm_IDMDomain/asinst_1/ovd1.

It fails with following error, also reported in the $ORACLE_INSTANCE/diagnostics/logs/OVD/ovd1/diagnostic.log:

Cannot start Oracle Virtual Directory server: Cannot support TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers.
Supplemental Detail java.lang.IllegalArgumentException: Cannot support TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(CipherSuiteList.java:79)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.setEnabledCipherSuites(SSLServerSocketImpl.java:166)
at com.octetstring.vde.frontend.SocketListener.configureSSLParams(SocketListener.java:194)
at com.octetstring.vde.frontend.LDAP.doAllocatePort(LDAP.java:230)
at com.octetstring.vde.frontend.LDAP.startListener(LDAP.java:481)
at com.octetstring.vde.frontend.ListenerHandler.addListener(ListenerHandler.java:100)
at com.octetstring.vde.frontend.ListenerHandler.init(ListenerHandler.java:91)
at com.octetstring.vde.VDEServer.startServer(VDEServer.java:182)
at com.octetstring.vde.VDEServer.main(VDEServer.java:360)

 

Editing the Listener - LDAP SSL Endpoint2, and selecting SSL Authentication > No authentication (or Mutual Authentication), then Selecting "All" Cipher Suites, and Start Operation on target /Farm_IDMDomain/asinst_1/ovd1, it fails with the same error:

Cannot start Oracle Virtual Directory server: Cannot support TLS_DH_anon_WITH_AES_256_CBC_SHA with currently installed providers.
The AES_256 cipher needs to be installed and enabled in the current JVM.

Observation:  Doing the same steps but selecting "restart" ovd1 instead of "shutdown then start", the restart returns a "CompleteD Successfully" message, giving the impression that it is working, but still getting "Cannot start Oracle Virtual Directory server: Unsupported ciphersuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" in the log.

 

Issue #2:

After properly installing/upgrading the local_policy.jar and US_export_policy.jar using the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, restarting all processes, then creating a new keystore and certificate from within OVD, creating a new OVD SSL Listener, and selecting TLS_RSA_WITH_AES_256_CBC_SHA as the cipher, OVD fails with start and returns the same error:

Cannot start Oracle Virtual Directory server: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers.



Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms