SSO Login Fails Intermittently In Distributed High Availability Environment (Doc ID 390573.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Application Server Single Sign-On - Version 10.1.2.0.2 and later
Information in this document applies to any platform.
***Checked for relevance on 03-FEB-2015***

Symptoms

Distributed High Availability (HA) 10g AS architecture with two load-balanced SSO midtiers in Active-Active HA mode and two load-balanced OIDs in Active-Active.

SSO login is failing approximately 10% of the time, the browser shows HTTP-500 Internal Server Error or Page Cannot be Displayed.

The following TCP/IP parameters are configured on the 10gAS servers:

   net.ipv4.tcp_keepalive_time = 300
   net.ipv4.tcp_keepalive_probes = 3
   net.ipv4.tcp_keepalive_intvl = 20

SSO policy.properties has the following set:
   connectionIdleTimeout = 10

OID has:
   orclldapconntimeout = 12 
   orclstatsperiodicity = 7
which should be suitable settings for the load-balancer with an idle connection timeout of 15 minutes.

Ref: A.1.9 Oracle Internet Directory Connections Being Disconnected by the Load Balancer or Firewall


$ORACLE_HOME/sso/log/ssoServer.log shows 'Socket Closed' error, e.g.,

Fri Aug 18 10:12:25 CEST 2006 [ERROR] AJPRequestHandler-ApplicationServerThread-12 Could not get attributes for user, test
  oracle.ldap.util.UtilException: NamingException encountered when resolving user - SIMPLE NAME = TEST oid.oracle.com:636; socket closed
  at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1214)
  at oracle.ldap.util.Subscriber.getUser(Subscriber.java:912)
  at oracle.ldap.util.Subscriber.getUser(Subscriber.java:859)
  at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:493)
  at oracle.security.sso.server.auth.SSOKerbeAuth.authenticate(SSOKerbeAuth.java:154)
  at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
  at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
  at oracle.security.sso.server.ui.SSOLoginServlet.doGet(SSOLoginServlet.java:285)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  ....................
Fri Aug 18 10:12:25 CEST 2006 [DEBUG] AJPRequestHandler-ApplicationServerThread-12 Directory Exception while getting the user attributes: auth_fail_exception
  oracle.security.sso.server.ldap.DirectoryException: auth_fail_exception
  at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:592)
  at oracle.security.sso.server.auth.SSOKerbeAuth.authenticate(SSOKerbeAuth.java:154)
  at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
  at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
  at oracle.security.sso.server.ui.SSOLoginServlet.doGet(SSOLoginServlet.java:285)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)


If WNA is enabled for SSO, the opmn/logs/OC4J~OC4J_SECURITY~default_island~1 shows:

06/08/18 10:04:02 Broken pipe
06/08/18 10:06:38 Broken pipe
06/08/18 10:12:10 Broken pipe
06/08/18 10:36:30 Error while getting user attributes from OID for the kerberos user: test@ORACLE.COM
06/08/18 10:36:30 oracle.security.jazn.JAZNException: The system is unable to retreive the specified realm(s).
06/08/18 10:36:30 at oracle.security.jazn.spi.ldap.LDAPRealmManager.getDefaultSubscriberRealm(Unknown Source)
.......
06/08/18 10:36:30 Caused by: javax.naming.ServiceUnavailableException: oid.oracle.com:389; socket closed; remaining name 'cn=common,cn=products,cn=oraclecontext'
06/08/18 10:36:30 at com.sun.jndi.ldap.Connection.readReply(Connection.java:410)
06/08/18 10:36:30 at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:701)
.......

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms