Home » RDBMS Server » Networking and Gateways » Oracle LDAP connection fails over SSL with wallet (Oracle 12c SE1, Red Hat 6.5)
| Oracle LDAP connection fails over SSL with wallet [message #642286] |
Sun, 06 September 2015 13:24  |
 |
frankntx
Messages: 11
Registered: September 2015
|
Junior Member |
|
|
When using an Oracle wallet (ewallet.p12) that is created with openSSL (not Oracle Wallet Manager), all works fine with wallet and Oracle XE 11.2.
However, when using same wallet, or creating a new wallet, with openSSL and using with Oracle SE1 12c (12.1.0.1), the issue reported previously occurs -- connection times out or gets disconnected.
Also will get ""unable to open wallet" errors with new wallet.
We are trying to do a LDAP call over SSL. A LDAP call using the non-SSL port works fine.
The call that is failing is DBMS_LDAP.open_ssl(session,wallet_dir,'XXXX',2);
|
|
|
|
|
|
| Re: Oracle LDAP connection fails over SSL with wallet [message #642309 is a reply to message #642300] |
Mon, 07 September 2015 12:44  |
|
frankntx
Messages: 11
Registered: September 2015
|
Junior Member |
|
|
I can give you the following code, keeping in mind that the same code works in another environment with the only difference being the version and edition of Oracle -- XE 11.2g:
DBMS_LDAP.use_exception := TRUE;
-- Connect to the LDAP server.
session := DBMS_LDAP.init(hostname => ldap_host, portnum => ldap_port);
-- open ssl connection for secure communications
ret := DBMS_LDAP.open_ssl(ld => session, sslwrl => wallet_dir, sslwalletpasswd => 'XXXXXX', sslauth => 2);
-- bind the service account
ret := DBMS_LDAP.simple_bind_s(ld => session, dn => name, passwd => pw);
--Moderator edit: corrected the closing code tag, it was missing the /
[Updated on: Mon, 07 September 2015 12:54] by Moderator Report message to a moderator |
|
|
|
|
|
| Re: Oracle LDAP connection fails over SSL with wallet [message #642314 is a reply to message #642310] |
Mon, 07 September 2015 17:30 |
|
frankntx
Messages: 11
Registered: September 2015
|
Junior Member |
|
|
Here is as much code as I can provide that is secure. Works fine on non-SSL port.
declare
username VARCHAR2(156) := 'bugs.bunny@yahoo.com';
ldap_host VARCHAR2(156) := 'myhost.org';
ldap_port NUMBER := 1234;
ldap_base VARCHAR2(156);
retval PLS_INTEGER;
attrs DBMS_LDAP.string_collection;
message DBMS_LDAP.message;
session DBMS_LDAP.session;
sa_name VARCHAR2(156) := 'CN=ADBind,CN=Accounts,DC=yahoo,DC=users,DC=com';
sa_pw VARCHAR2(156) := 'carrot';
wallet_dir VARCHAR2(156) := 'file:/u01/app/oracle/product/12.1/wallet';
BEGIN
DBMS_LDAP.use_exception := TRUE;
session := DBMS_LDAP.init(hostname => ldap_host, portnum => ldap_port);
retval := DBMS_LDAP.open_ssl(ld => session, sslwrl => wallet_dir, sslwalletpasswd => 'XXXXXX', sslauth => 2);
retval := DBMS_LDAP.simple_bind_s(ld => session, dn => sa_name, passwd => sa_pw);
attrs(1) := 'DistinguishedName';
retval := DBMS_LDAP.search_s(ld => session, base => ldap_base, scope => DBMS_LDAP.SCOPE_SUBTREE, filter => 'mail='||username, attrs => attrs, attronly => 0, res => message);
end;
/
Here is the error from SQL *Plus (check.sql has code from above):
SQL> @check.sql
declare
*
ERROR at line 1:
ORA-03113: end-of-file on communication channel
Process ID: 17413
Session ID: 264 Serial number: 183
SQL>
[Updated on: Mon, 07 September 2015 17:44] Report message to a moderator |
|
|
|
|
|
|
|
| Re: Oracle LDAP connection fails over SSL with wallet [message #642321 is a reply to message #642316] |
Tue, 08 September 2015 02:03 |
John Watson
Messages: 8960
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
Your code compiles OK, but for me it fails (naturally) on the ldap_init on line 18:orclz> declare
2 username VARCHAR2(156) := 'bugs.bunny@yahoo.com';
3 ldap_host VARCHAR2(156) := 'myhost.org';
4 ldap_port NUMBER := 1234;
5 ldap_base VARCHAR2(156);
6 retval PLS_INTEGER;
7 attrs DBMS_LDAP.string_collection;
8 message DBMS_LDAP.message;
9 session DBMS_LDAP.session;
10 sa_name VARCHAR2(156) := 'CN=ADBind,CN=Accounts,DC=yahoo,DC=users,DC=com';
11 sa_pw VARCHAR2(156) := 'carrot';
12 wallet_dir VARCHAR2(156) := 'file:/u01/app/oracle/product/12.1/wallet';
13
14 BEGIN
15
16 DBMS_LDAP.use_exception := TRUE;
17
18 session := DBMS_LDAP.init(hostname => ldap_host, portnum => ldap_port);
19
20 retval := DBMS_LDAP.open_ssl(ld => session, sslwrl => wallet_dir, sslwalletpasswd => 'XXXXXX', sslauth => 2);
21
22 retval := DBMS_LDAP.simple_bind_s(ld => session, dn => sa_name, passwd => sa_pw);
23
24 attrs(1) := 'DistinguishedName';
25
26 retval := DBMS_LDAP.search_s(ld => session, base => ldap_base, scope => DBMS_LDAP.SCOPE_SUBTREE, filter => 'mail='||username, attrs => attrs, attronly => 0, res => message);
27
28 end;
29 /
declare
*
ERROR at line 1:
ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 79
ORA-06512: at "SYS.DBMS_LDAP", line 50
ORA-06512: at line 18
orclz>
What line does yours fail on?
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Oracle LDAP connection fails over SSL with wallet [message #642356 is a reply to message #642355] |
Tue, 08 September 2015 09:21 |
|
frankntx
Messages: 11
Registered: September 2015
|
Junior Member |
|
|
I've opened a SR with Oracle Support providing the alert log and trace file. Here is their response:
LOG FILE
-----------------------
Filename =incdir_41218/HDSTQA_ora_27959_i41218.trc
See the following error:
ORA-07445: exception encountered: core dump [gsignal()+53] [SIGIOT] [ADDR:0x200006D37] [PC:0x3337A32625] [unknown code] []
Oracle Support - Friday [ODM Issue Clarification]
On : 12.1.0.1 version, Internals Errors (ORA-600 & ORA-7445)
When attempting to run the following:
begin declare
begin
wwv_flow.g_boolean := pkg_sv_security.ldap_auth(
p_username => :p_username,
p_password => :p_password );
end;
end;
The following error occurs.
ERROR
-----------------------
ORA-07445: exception encountered: core dump [gsignal()+53] [SIGIOT] [ADDR:0x200006D37] [PC:0x3337A32625] [unknown code] []
================
Keep in mind that the Oracle XE 11g system (where this works) and the Oracle SE1 12c system (where the failure occurs) are identical systems (the latter is a VM image of the former, which is also a VM). The only difference is in the Oracle version and edition.
Also the PL/SQL call
pkg_sv_security.ldap_auth(
p_username => :p_username,
p_password => :p_password );
contains the code I gave previously.
[Updated on: Tue, 08 September 2015 09:29] Report message to a moderator |
|
|
|
| Re: Oracle LDAP connection fails over SSL with wallet [message #642357 is a reply to message #642356] |
Tue, 08 September 2015 09:52 |
John Watson
Messages: 8960
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
Tony (Frank) please! You keep changing the error:
Starting with "unable to open wallet" then ORA-03113 and now it is an ORA-600 & ORA-7445. And you still have not shown what actually happens when you run that code. Can you just do that, in the same way that I did, from SQL*Plus? Of course you can change sensitive values after pasting.
|
|
|
|
|
|
|
|
|
|
| Re: Oracle LDAP connection fails over SSL with wallet [message #642362 is a reply to message #642360] |
Tue, 08 September 2015 10:54 |
|
frankntx
Messages: 11
Registered: September 2015
|
Junior Member |
|
|
Here you go, John.
Connected to Oracle Database 12c Release 12.1.0.1.0
Connected as XXXX
SQL>
SQL> declare
2
3 username VARCHAR2(156) := 'X';
4 ldap_host VARCHAR2(156) := 'X';
5 ldap_port NUMBER := 1234;
6 ldap_base VARCHAR2(156);
7 retval PLS_INTEGER;
8 attrs DBMS_LDAP.string_collection;
9 message DBMS_LDAP.message;
10 session DBMS_LDAP.session;
11 sa_name VARCHAR2(156) := 'CN=X,CN=X,DC=X,DC=X,DC=X';
12 sa_pw VARCHAR2(256) := 'X';
13 wallet_dir VARCHAR2(256) := 'file:/u01/app/oracle/product/12.1/wallet';
14
15 begin
16
17 DBMS_LDAP.use_exception := TRUE;
18
19 session := DBMS_LDAP.init(hostname => ldap_host, portnum => ldap_port);
20
21 retval := DBMS_LDAP.open_ssl(ld => session, sslwrl => wallet_dir, sslwalletpasswd => 'X', sslauth => 2);
22
23 retval := DBMS_LDAP.simple_bind_s(ld => session, dn => sa_name, passwd => sa_pw);
24
25 attrs(1) := 'DistinguishedName';
26
27 retval := DBMS_LDAP.search_s(ld => session, base => ldap_base, scope => DBMS_LDAP.SCOPE_SUBTREE, filter => 'mail='||username, attrs => attrs, attronly => 0, res => message);
28
29 end;
30 /
ORA-03113: end-of-file on communication channel
Process ID: 3450
Session ID: 237 Serial number: 2979
SQL>
Security is tight here ... 
[Updated on: Tue, 08 September 2015 11:58] by Moderator Report message to a moderator |
|
|
|
|
|
| Re: Oracle LDAP connection fails over SSL with wallet [message #642364 is a reply to message #642363] |
Tue, 08 September 2015 11:07 |
|
frankntx
Messages: 11
Registered: September 2015
|
Junior Member |
|
|
Just got this from Oracle My Support:
This is Bug 18818847 - IO to cell timeouts after 5 minutes / dump on gsignal after cell restart/dump on skgxpdordmaqry
There is not a one-off patch for this on My Oracle Support for your release. Your release is the base release and the current supported release is 12.1.0.2
The solution is to:
- Migrate to 12.1.0.2 that has the fix for this issue and many others.
!! NOTE:
This upgrade is only available for Oracle EE 12c.
Oracle SE1 has no version 12.1.0.2. Beginning with the release of Oracle Database 12.1.0.2, Oracle Database Standard Edition (SE) and Oracle Database Standard Edition One (SE1) are no longer being released. 12.1.0.1 was the final edition for SE and SE1. Which means we will have to upgrade to SE2.
Thanks for everyone's help and I hope the NOTE I mentioned above helps others.
[Updated on: Tue, 08 September 2015 12:07] Report message to a moderator |
|
|
|
| Re: Oracle LDAP connection fails over SSL with wallet [message #642365 is a reply to message #642364] |
Tue, 08 September 2015 12:04 |
John Watson
Messages: 8960
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
Thanks (I've added [code] tags  ) it doesn't help, does it?
If Oracle Support were right, you would have a big problem. You are using SE1, and 12.1.0.2 SE1 does not, and will not, exist for 12.1.0.2. So in effect, they are telling you to spend a lot more money on upgrading to SE2.
However, they have told you nonsense. You are using SE1, and that bug refers to Exadata. Better get back to them, and tell them that bug does not apply.
|
|
|
|
|
|
Goto Forum:
Current Time: Sat Nov 23 05:37:51 CST 2024
|
] 
Blog
Search
Help
Members
Register
Login
Home
