OVD 11g SSL Binds to Microsoft (MS) Active Directory (AD) Fail with Log Error: Operation error {0} [[ | com.octetstring.vde.util.DirectoryException: Error occured in communicating with client: java.net.SocketException: Socket closed. (Doc ID 1983074.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Virtual Directory - Version 11.1.1.2.0 to 11.1.1.7.0 [Release 11g]
Information in this document applies to any platform.

Symptoms

Oracle Virtual Directory (OVD) 11g, e.g., 11.1.1.7.0.

OVD to backend Microsoft (MS) Active Directory (AD) SSL binds fail without any changes to OVD or backend.

OVD log error shown:

[2014-11-06T11:53:56.873-08:00] [octetstring] [ERROR] [] [com.octetstring.vde.OperationHandler] [tid: 54] [ecid: 0000Ka6euU9A9TJLQmk3yd1KLPdI006MUT,0] Operation error {0} [[
com.octetstring.vde.util.DirectoryException: Error occured in communicating with client: java.net.SocketException: Socket closed.
       at com.octetstring.vde.MessageHandler.sendResponse(MessageHandler.java:640)
       at com.octetstring.vde.MessageHandler.doBind(MessageHandler.java:355)
       at com.octetstring.vde.MessageHandler.answerRequest(MessageHandler.java:192)
       at com.octetstring.vde.OperationHandler.run(OperationHandler.java:119)

]]


Able to connect via SSL to backend AD directly using JXplorer from the same Prod OVD nodes, so the issue is from OVD server only.

 

After further examination and testing, found that custom ciphersuites changes (required by AD) previously made to the OVD AD adapter (manually, by editing the adapters.os_xml file) are getting wiped out whenever editing unrelated adapter configuration in Oracle Directory Services Manager (ODSM), and the ciphersuites are automatically getting reverted back to defaults.

 

Steps to Reproduce:
1. Customize an LDAP adapter with ciphers by manually adding them to adapters.os_xml, for example:

<cipherSuites>
  <cipher>TLS_RSA_WITH_3DES_EDE_CBC_SHA</cipher>
  <cipher>SSL_RSA_WITH_3DES_EDE_CBC_SHA</cipher>
</cipherSuites>

2. Verify connections to the backend ldap server works, even after restarting OVD server.

3. Make any simple and/or unrelated change to the adapter in ODSM.

4. Check the adapter.os_xml to see that the custom configured ciphers above are removed and automatically replaced with defaults, e.g.:

<cipherSuites>
  <cipher>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</cipher>
  <cipher>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</cipher>
  <cipher>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</cipher>
  <cipher>SSL_DH_anon_WITH_DES_CBC_SHA</cipher>
  <cipher>SSL_DH_anon_WITH_RC4_128_MD5</cipher>
</cipherSuites>

5. At this point, connections to the AD ldap backend fail.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms