Symptoms:
We are getting following errors when we enabled SSL port and disabled non-SSL port for Admin server and try to check-in document in WCC:-
<oracle.ods.virtualization.engine.backend.jndi.DefaultAuthenticator.BackendJNDI>
<LIBOVD-60143> <[#DefaultAuthenticator] Unable to create
connection to ldap://[localhost]:7002 as null.
javax.naming.CommunicationException:
simple bind failed: localhost:7002 [Root exception is
javax.net.ssl.SSLException: java.lang.RuntimeException:
Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter
must be non-empty]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
Cause:
When we configure Admin Server to communicate over SSL then defaultLDAP
automatically configure to communicate over SSL protocol (LDAPS). In case of
multiple authenticators, and one of them is configure to communicate over SSL, we
need to put the corresponding LDAP server's root certificate in an additional
keystore used by the virtualisation (LibOVD) functionality otherwise
application is unable to establish connection with defaultLDAP (ldaps://localhost:7002).
Solution:
Pre-requisites: Before completing this task, make sure the following configurations:-
Pre-requisites: Before completing this task, make sure the following configurations:-
- Configure the custom property called virtualize, and set its value to true.
- Admin Server SSL port is not enabled. (*)
- Managed servers are down
Steps:
- Create the keystore:
a. Set
environment variables ORACLE_HOME, WL_HOME and JAVA_HOME.
export ORACLE_HOME=/u01/app/oracle/product/middleware/WC1
export WL_HOME=/u01/app/oracle/product/middleware/wlserver_10.3
export JAVA_HOME=/u01/app/jdk1.7.0_65/
b. Setup the
keystore by running libovdconfig.sh using -createKeystore option.
Open a shell prompt and change
the directory to <MW_HOME>/oracle_common/bin. Then, run the
following command:
./libovdconfig.sh -host <AdminServerHostName -port 7001 -userName weblogic -domainPath <DomainPath> –createKeystore
Enter AdminServer password:[Enter
weblogic password]
Enter OVD Keystore password:[Enter a new password to secure a Keystore file]
Enter OVD Keystore password:[Enter a new password to secure a Keystore file]
Once this command runs, we see
two new credentials in the Credential Store and a new Keystore file called
adapters.jks under <DOMAIN_HOME>\config\fmwconfig\ovd\default\keystores.
- Export
the root certificate from the Admin Server SSL certificate or LDAP directory.
- Import
the root certificate to the libOVD keystore using the keytool command:
$JAVA_Home/bin/keytool -import -keystore adapters.jks -storepass <KeyStore password> -alias <alias of your choice> -file <Admin Server Certificate filename>
- Enable
SSL port and disabled non-SSL port of Admin server. (*)
- Restart
Admin Server and start all the managed servers.
* No need for this step if we
are just configuring multiple authenticators with non-defaultLDAP (AD/OID) is
communicating over SSL