My Oracle Support Banner

Using Ldap With Custom Wallet And Self Signed Certificate (Doc ID 2250489.1)

Last updated on MAY 24, 2022

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


On : version

After switching from standard OID ldap with SSL to one with a self signed certificate oam SSO no longer working.

Now I can login to WL console but not OAM console or SSO

2017-01-26T13:21:41.571-05:00] [oam_server1] [ERROR] [OAMSSA-20070] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c6e005c011597b82:-747b7103:159dc0067e5:-8000-000000000000025e,0] [APP: oam_server#] Failure locating user with search base: cn=Users,dc=<VALUE>,dc=<VALUE>. filter: (orclsamaccountname={0}) and arguments: OIDIdentityStore, for idstore oracle.igf.ids.IDSException: Operations error: entity=cn=Users,dc=<VALUE>,dc=<VALUE> op=search mesg= AdditionalInfo: LDAP Error 2 : simple bind failed: <LDAPHOSTNAME>.<DOMAIN>:<PORT> with exception {4}
[2017-01-26T13:21:41.578-05:00] [oam_server1] [ERROR] [OAM-02010] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c6e005c011597b82:-747b7103:159dc0067e5:-8000-000000000000025e,0] [APP: oam_server#] User account is locked. Authentication failed.

Management is forcing us to use TLS1.2

#NOT Working
#JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.StdoutDebugEnabled=true -Dweblogic.ssl.JSSEEnabled=true -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.ext.dirs=/a01/app/oraweb/java/jre/lib/ext"

The issue can be reproduced at will with the following steps:
I took these steps.

1) Imported the certificate into cacerts for java
2) Enabled JSSE by up dating setdomainenv
3) Ran libovdconfig and imported certificate
4) In weblogic console, changed the ldap settings to point to new ldap with self signed certificate.
5) Bounce all OAM managed servers

Everything works fine. Able to login to console with username and password derived from self signed ldap.

With OAM console user identity store still pointing to 3131 (standard ssl ldap) SSO and OAM console login still works.

Then updated user identity store to use new self signed ldap port save and bounce


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.