12.2.1.4 Oracle Access Manager post upgrade issues

~ aninditakar

The issues outlined and elaborated in this blog were specific to the environment and therefore, to the Oracle Fusion Middleware configuration. Let’s go through a few scenarios.

OAM SSO authentication failure

Due to tightening of URI parsing method in Java SE 8 Update 331 (April 2022 CPU) and later, login fails with “Invalid Username or Password”.

From OAM diagnostics log file notice the [] brackets which were not accepted due to Java security updates

[2023-05-01T12:37:58.699-04:00] [wls_oam1] [WARNING] [LIBOVD-40118] [oracle.ods.virtualization.engine.backend.jndi.adapter1.BackendJNDI] [tid: [ACTIVE].ExecuteThread: '47' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 005yeHku9YG7i4KayTaeMG000164000000,0:1:5:4:4] [APP: oam_server] [partition-name: DOMAIN] [tenant-name: GLOBAL] Could not automatically detect binary attribute list: Malformed IPv6 address at index 8: ldap://[directory.xxxxxxxx.yy]:636.

Apply LIB-OVD application patch 34065178 or April 2022 SBP for OAM 12.2.1.4. Refer Doc ID 2865793.1.

EM Manager Fusion Middleware Control blank login

After signing in with EM login credentials, you get a blank farm page. This bug impacts environments upgraded from 12.2.1.3 to 12.2.1.4 and caused due to additional JAR files being added to the CLASSPATH environment variable, esp. after invoking $WL_HOME/server/bin/setWLSEnv.sh prior to starting WebLogic Admin server.

From emoms.log file you can see the below excerpt –

[2023-07-01T09:18:08.443-04:00] [AdminServer] [WARNING] [] [oracle.sysman.emSDK.view.errPopup.ErrorPopupUtil] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: abcd] [ecid: 005zqn3QC4J7i4KayTfd6G0000XK000007,0:5] [APP: em] [partition-name: DOMAIN] [tenant-name: GLOBAL] [[
java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at oracle.sysman.emSDK.conf.FMWControlConfigManager.getFederatedOracleHomeList(FMWControlConfigManager.java:2064)
    ... 112 more
Caused by: com.oracle.cie.gdr.external.InventoryException: com.oracle.cie.gdr.utils.GdrException: com.oracle.cie.dependency.DependencyException: java.lang.ExceptionInInitializerError
    at com.oracle.cie.gdr.external.impl.OracleHomeInventoryImpl.<init>(OracleHomeInventoryImpl.java:65)
    at com.oracle.cie.gdr.external.impl.OracleHomeInventoryFactory.createInventory(OracleHomeInventoryFactory.java:60)
    at com.oracle.cie.gdr.external.InventoryFactory.getOracleHomeInventory(InventoryFactory.java:99)
    at com.oracle.cie.gdr.external.InventoryUtil.<init>(InventoryUtil.java:77)
    ... 117 more
Caused by: com.oracle.cie.gdr.utils.GdrException: com.oracle.cie.dependency.DependencyException: java.lang.ExceptionInInitializerError
    at com.oracle.cie.gdr.FeatureLoader.loadFeatureSets(FeatureLoader.java:407)
    at com.oracle.cie.gdr.FeatureLoader.loadMetaData(FeatureLoader.java:243)
    at com.oracle.cie.gdr.FeatureLoader.init(FeatureLoader.java:227)
    at com.oracle.cie.gdr.FeatureLoader.<init>(FeatureLoader.java:155)

You can either apply the patch mentioned in Doc ID 2619679.1 and Doc ID 2681156.1 or in a new putty session, do not invoke setWLSEnv.sh before restarting the Admin server.

EM Manager Fusion Middleware Control login spinning on error page

Login to WebLogic console and OAM console works fine but login to EM fails as can be seen in Admin server diagnostic log –

[2023-05-18T18:54:20.287-04:00] [AdminServer] [WARNING] [LIBOVD-60024] [oracle.ods.virtualization.engine.backend.jndi.abcd_ldap_prod] [tid: [ACTIVE].ExecuteThread: '38' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: abcd] [ecid: 005yzyjKjKL7i4KayTfd6G00023D000019,0:5] [APP: em] [partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: 0000OWl4^7X7y0KayTaeMG1^Pdvp000009] Connection error: simple bind failed: directory.xxxxxx.yy:636.
[2023-05-18T18:54:20.288-04:00] [AdminServer] [NOTIFICATION] [] [oracle.adf.share.config.ADFContextMDSConfigHelperImpl] [tid: [ACTIVE].ExecuteThread: '38' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: abcd] [ecid: 005yzyjKjKL7i4KayTfd6G00023D000019,0:5] [APP: em] [partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: 0000OWl4^7X7y0KayTaeMG1^Pdvp000009] [[
oracle.adf.share.security.ADFSecurityIdentityProviderException:     
Operations error: entity=ou=People,o=xxxxxxxx.yy op=search mesg=LDAP Error 2 : simple bind failed: directory.xxxxxxxx.yy:636
Caused by: oracle.igf.ids.LDAPConnectionException: Operations error: entity=ou=People,o=xxxxxxxx.yy op=search mesg=LDAP Error 2 : simple bind failed: directory.xxxxxxxx.yy:636  AdditionalInfo: LDAP Error 2 : simple bind failed: directory.xxxxxxxx.yy:636

Caused by: oracle.igf.ids.arisid.ArisIdConnectionException: Operations error: entity=ou=People,o=xxxxxxxx.yy op=search mesg=LDAP Error 2 : simple bind failed: directory.xxxxxxxx.yy:636  AdditionalInfo: LDAP Error 2 : simple bind failed: directory.xxxxxxxx.yy:636

Caused by: oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 2 : simple bind failed: directory.uoguelph.ca:636

Caused by: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 2 : simple bind failed: directory.uoguelph.ca:636

Caused by: javax.naming.CommunicationException: simple bind failed: directory.xxxxxxxx.yy:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]

Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Given that the external LDAP is set up for SSL communication and LDAP root certificate is imported into custom WebLogic trust store, it also needs to be imported into trust store used by LibOVD functionality.

Follow below steps to create keystore and import LDAP cert:

  • Set env variables ORACLE_HOME, WL_HOME, JAVA_HOME, PATH, DOMAIN_HOME.
  • Create keystore by running libovdconfig.sh from $ORACLE_HOME/oracle_common/bin.
./libovdconfig.sh -host AdminHost -port 7001 -domainPath $DOMAIN_HOME -userName weblogic -createKeystore
  • Import root cert into libOVD keystore.
openssl s_client -showcerts -connect directory.xxxxxxxx.yy:636
keytool -import -alias EntrustRoot -trustcacerts -file server-cert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/default/keystores/adapters.jks

Leave a comment