OID 12.2.1.4 Replication Running On SSL Fail When Anonymous Cypher Is Disabled
(Doc ID 3054416.1)
Last updated on OCTOBER 23, 2024
Applies to:
Oracle Internet Directory - Version 12.2.1.4.0 and laterInformation in this document applies to any platform.
Symptoms
After anonymous cypher is disabled in OID, replication is broken.
There is in OID replication logs errors like:
Changes
-Initial when configure replication, the request was to run it in LDAPS.
But when run remtool
remtool -paddnode -bind <SUPPLIER_HOSTNAME:LDAP_SSL_PORT>
command fail if there is no anonymous cypher enable
Reference unpublished Bug 35985720 - "UNABLE TO BIND TO DIRECTORY SERVER" WHEN TRYING TO SET UP SSL REPLICATION
- remtool command not have an option to specify the use of cyphers, wallet or ssl type.
Based on section 4.4.4 -paddnode from documentation
command options include only host/port
remtool -paddnode [-bind supplier_hostname:ldap_port] [-v]
- After enable anonymous cypher adding orclsslciphersuite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
and run remtool -paddnode with <LDAP_SSL_PORT>, for some time replication run on [LDAP_SSL_PORT].
- More time later when runs security audit scans on servers, this find weak ciphers.
It was decided to disable anonymous/weak ciphers.
When remove those ciphers replication fails with mentioned messages: "Unable to read replication configuration information"
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |