OVD 11g Sorted Search Returns Incomplete Results. OVD Log Error: javax.naming.CommunicationException: bad record MAC Root exception is javax.net.ssl.SSLException: bad record MAC (Doc ID 1928654.1)

Last updated on SEPTEMBER 15, 2016

Applies to:

Oracle Virtual Directory - Version 11.1.1.4.0 to 11.1.1.6.0 [Release 11g]
Information in this document applies to any platform.

Symptoms

Oracle Virtual Directory (OVD) 11.1.1.4.0.

An application, which runs a server-side sort search request on "cn=*" for all internal users, intermittently (sometimes even frequently) returns incomplete or truncated results.

This affects mostly SSL connections from join adapters.

Tuning OVD, JVM and upgrading jdk version does not help.

OVD log main error:

2012-01-25T10:49:21.931-05:00 octetstring ERROR OVD-60176 http://com.octetstring.vde.backend.jndi.JNDIResultBuffer tid: 158596 ecid: 0000JKLZXCK7i4LFeRaAS51F3kK9001^yo,0 JNDI exception: {0}.[[
javax.naming.CommunicationException: bad record MAC Root exception is javax.net.ssl.SSLException: bad record MAC
at com.sun.jndi.ldap.LdapCtx.getSearchReply(LdapCtx.java:1898)
at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:111)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
at com.octetstring.vde.backend.jndi.JNDIEntrySet.hasMoreInternal(JNDIEntrySet.java:408)
at com.octetstring.vde.backend.jndi.JNDIResultBuffer.loadAnEntry(JNDIResultBuffer.java:95)
at com.octetstring.vde.backend.jndi.JNDIResultBuffer.run(JNDIResultBuffer.java:131)
Caused by: javax.net.ssl.SSLException: bad record MAC
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1581)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:850)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at com.octetstring.vde.backend.jndi.OvdJndiInputStream.read(OvdJndiInputStream.java:60)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at com.sun.jndi.ldap.Connection.run(Connection.java:808)
at java.lang.Thread.run(Thread.java:619)


The logs may also sometimes show other exceptions such as connection resets, LDAP response read timed outs, and/or size limit exceptions, e.g.:

[2012-12-17T18:52:26.598-05:00] [octetstring] [ERROR] [OVD-60176] [com.octetstring.vde.backend.jndi.JNDIResultBuffer] [tid: 1968] [ecid: 0000JifHLdC7a6LFeRv1C51GnfZd0001L2,0] JNDI exception: oidhost.mycompany.com:3060.[[
javax.naming.InterruptedNamingException: Interrupted during LDAP operation
at com.sun.jndi.ldap.Connection.readReply(Connection.java:441)
com.octetstring.vde.util.DirectoryException: LDAP Error 1 : LDAP response read timed out, timeout used:15000ms.
at com.octetstring.vde.backend.jndi.ConnectionHandle.handleError(ConnectionHandle.java:449)
at com.octetstring.vde.backend.jndi.ConnectionHandle.search(ConnectionHandle.java:290)
Followed by:
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
[2013-03-07T17:03:22.933-05:00] [octetstring] [TRACE] [] [com.octetstring.vde.backend.jndi.JNDIEntrySet] [tid: 21] [ecid: 0000Jp6sKhi9h^LFeRV4C51HDhxw000jSn,0] [SRC_CLASS:
com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Size Limit Exception detected: [LDAP: error code 4 - Sizelimit Exceeded]


The issue can sometimes be reproduced via command line, for example:

 

While there could be infrastructure/connectivity issues from OVD to the backends, OVD is returning incomplete sorted search results as though it were fully successful, instead of returning an appropriate error.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms