Using Ldap With Custom Wallet And Self Signed Certificate

(Doc ID 2250489.1)

Last updated on APRIL 21, 2017

Applies to:

Oracle Access Manager - Version 11.1.2.3.4 and later
Information in this document applies to any platform.

Symptoms

On : 11.1.2.3.4 version

ACTUAL BEHAVIOR
---------------
After switching from standard OID 11.1.1.9 ldap with SSL to one with a self signed certificate oam SSO no longer working.

Now I can login to WL console but not OAM console or SSO

2017-01-26T13:21:41.571-05:00] [oam_server1] [ERROR] [OAMSSA-20070] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c6e005c011597b82:-747b7103:159dc0067e5:-8000-000000000000025e,0] [APP: oam_server#11.1.2.0.0] Failure locating user with search base: cn=Users,dc=doe,dc=gov. filter: (orclsamaccountname={0}) and arguments: OIDIdentityStore, for idstore oracle.igf.ids.IDSException: Operations error: entity=cn=Users,dc=doe,dc=gov op=search mesg= AdditionalInfo: LDAP Error 2 : simple bind failed: iesoid1.doe.gov:3132 with exception {4}
[2017-01-26T13:21:41.578-05:00] [oam_server1] [ERROR] [OAM-02010] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c6e005c011597b82:-747b7103:159dc0067e5:-8000-000000000000025e,0] [APP: oam_server#11.1.2.0.0] User account is locked. Authentication failed.

Management is forcing us to use TLS1.2

#NOT Working
#JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.StdoutDebugEnabled=true -Dweblogic.wsee.security.debug=true -Djavax.net.debug=all -Djavax.net.debug=ssl:handshake:verbose -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.ext.dirs=/a01/app/oraweb/java/jre/lib/ext -Dweblogic.security.SSL.trustedCAKeyStore=/a01/app/oraoam/middle/certs/cacerts -Dweblogic.security.SSL.ignoreHostnameVerification=true"


EXPECTED BEHAVIOR
-----------------------
Able to logon to WL console and OAM console and SSO

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
I took these steps.

1) Imported the certificate into cacerts for java
2) Enabled JSSE by up dating setdomainenv
3) Ran libovdconfig and imported certificate
4) In weblogic console, changed the ldap settings to point to new ldap with self signed certificate.
5) Bounce all OAM managed servers

Everything works fine. Able to login to console with username and password derived from self signed ldap.

With OAM console user identity store still pointing to 3131 (standard ssl ldap) SSO and OAM console login still works.

Then updated user identity store to use new self signed ldap port save and bounce


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms