My Oracle Support Banner

SSO Login Fails Intermittently In Distributed High Availability Environment (Doc ID 390573.1)

Last updated on AUGUST 15, 2018

Applies to:

Oracle Application Server Single Sign-On - Version 10.1.2.0.2 and later
Information in this document applies to any platform.
***Checked for relevance on 03-FEB-2015***

Symptoms

Distributed High Availability (HA) 10g AS architecture with two load-balanced SSO midtiers in Active-Active HA mode and two load-balanced OIDs in Active-Active.

SSO login is failing approximately 10% of the time, the browser shows HTTP-500 Internal Server Error or Page Cannot be Displayed.

The following TCP/IP parameters are configured on the 10gAS servers:

   net.ipv4.tcp_keepalive_time = 300
   net.ipv4.tcp_keepalive_probes = 3
   net.ipv4.tcp_keepalive_intvl = 20

SSO policy.properties has the following set:
   connectionIdleTimeout = 10

OID has:
   orclldapconntimeout = 12 
   orclstatsperiodicity = 7
which should be suitable settings for the load-balancer with an idle connection timeout of 15 minutes.

Ref: A.1.9 Oracle Internet Directory Connections Being Disconnected by the Load Balancer or Firewall


$ORACLE_HOME/sso/log/ssoServer.log shows 'Socket Closed' error, e.g.,

Fri Aug 18 10:12:25 CEST 2006 [ERROR] AJPRequestHandler-ApplicationServerThread-12 Could not get attributes for user, test
  oracle.ldap.util.UtilException: NamingException encountered when resolving user - SIMPLE NAME = TEST oid.oracle.com:636; socket closed
  at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1214)
  at oracle.ldap.util.Subscriber.getUser(Subscriber.java:912)
  at oracle.ldap.util.Subscriber.getUser(Subscriber.java:859)
  at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:493)
  at oracle.security.sso.server.auth.SSOKerbeAuth.authenticate(SSOKerbeAuth.java:154)
  at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
  at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
  at oracle.security.sso.server.ui.SSOLoginServlet.doGet(SSOLoginServlet.java:285)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  ....................
Fri Aug 18 10:12:25 CEST 2006 [DEBUG] AJPRequestHandler-ApplicationServerThread-12 Directory Exception while getting the user attributes: auth_fail_exception
  oracle.security.sso.server.ldap.DirectoryException: auth_fail_exception
  at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:592)
  at oracle.security.sso.server.auth.SSOKerbeAuth.authenticate(SSOKerbeAuth.java:154)
  at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
  at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
  at oracle.security.sso.server.ui.SSOLoginServlet.doGet(SSOLoginServlet.java:285)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)


If WNA is enabled for SSO, the opmn/logs/OC4J~OC4J_SECURITY~default_island~1 shows:

06/08/18 10:04:02 Broken pipe
06/08/18 10:06:38 Broken pipe
06/08/18 10:12:10 Broken pipe
06/08/18 10:36:30 Error while getting user attributes from OID for the kerberos user: test@ORACLE.COM
06/08/18 10:36:30 oracle.security.jazn.JAZNException: The system is unable to retreive the specified realm(s).
06/08/18 10:36:30 at oracle.security.jazn.spi.ldap.LDAPRealmManager.getDefaultSubscriberRealm(Unknown Source)
.......
06/08/18 10:36:30 Caused by: javax.naming.ServiceUnavailableException: oid.oracle.com:389; socket closed; remaining name 'cn=common,cn=products,cn=oraclecontext'
06/08/18 10:36:30 at com.sun.jndi.ldap.Connection.readReply(Connection.java:410)
06/08/18 10:36:30 at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:701)
.......

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.
My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.