Oracle® Collaboration Suite SSL Configuration Release 2 (9.0.4) Part Number B15611-01 |
|
|
View PDF |
This appendix provides solutions to some problems and errors that you may encounter with your SSL configuration on Oracle Collaboration Suite. This appendix contains the following sections:
This section lists the common errors that occur when accessing Oracle9iAS Portal using the standard SSL port.
Problem1
WWC-41439 error when trying to access Portal using the 443 SSL port with URL: https://
midtierhostname
/pls/portal.
This is a known issue with the ptlasst.sh
script inserting SSL port 443 into ENABLER tables.
Solution1
Update the tables manually.
For example, login to SQL*Plus as the portal
schema:
SQL> SELECT LSNR_TOKEN,site_id FROM wwsec_enabler_config_info$; LSNR_TOKEN SIT E_ID xyz.us.oracle.com:7777 1324 xyz.us.oracle.com:443 1329 SQL> UPDATE wwsec_enabler_config_info$ SET LSNR_TOKEN = 'midtierhost.domain.com' WHERE site_id = 1329; SQL> commit;
You should now be able to log in to the Middle Tier by using the following URL
https://midtierhostname
Problem 2
The Portlet could not be contacted. SSL Handshake Failed NZERROR=28858
Note: You may encounter this error while attempting to get tohttps:// midtierhostname /pls/portal |
Solution 2
Check $ORACLE_HOME/Webcache/logs/event_log
on the Middle Tier. Then check the accuracy of the entry that you created in the web.xml
file as described in Section 7.2.
Problem 3
The Portlet could not be contacted. SSL Handshake Failed NZERROR=28874
Note: You may still receive the following error while attempting to get tohttps:// midtierhostname /pls/portal |
Solution 3
Check $ORACLE_HOME/Webcache/logs/event_log
on the Middle Tier. This is a known issue with the http_client.jar
file.
You can fix this by following Metalink note: 225502.1. This will require downloading and applying a patch.
Problem 4
The address from which this authentication request was made does not match your IP address. Notify your administrator if you believe this message to be in error. (WWC-41452)
Note: Users encounter this error when attempting to log in to Portal only. |
Solution 4
You can turn off the IP Check feature by running the following SQL commands:
sqlplus portal schema/portal password
SQL>SELECT url_cookie_ip_check FROM wwsec_enabler_config_info$;
If it is not set to N, then run the following:
SQL>UPDATE wwsec_enabler_config_info$ SET url_cookie_ip_check='N'; SQL>commit; SQL>exit
Problem 5
The style sheet was the only component on the Portal page that could not be secured.
Solution 5
This style sheet issue is corrected by the 9.0.4.2.0 patch set.
Problem 6
Incorrect rendering while connecting to http://
midtierhostname.domain
.com:443
The header link in the e-mail portlet will open the following URL:
http://hostname.domain
.com:443
The URL does not display properly. The first time you access the URL it may display properly, but subsequent accesses will not display properly.
Solution 6
Modify the $ORACLE_HOME/j2ee/OC4J_UM/config/oc4j.properties
file on the Middle Tier. Set oracle.mail.client.portlet.HTTPStowebmail=TRUE
. Then stop and restart the Middle Tier by running the following commands:
opmnctl stopall opmnctl startall
This section lists the common errors that occur when accessing Oracle Webmail using the standard SSL port.
Problem 7
In Traffic_cop,
if you login as orcladmin
or as an administrative user you have the option to create new users in Oracle WebMail. If the user is not already created in Oracle Internet Directory, then the Web client will prompt you to create the user first and supply you with a link to Oracle Internet Directory Delegated Administration Services. This link is incorrect.
Solution 7
Ensure that the URL for Delegated Administration Services (DAS) is configured correctly as explained in Section 6.2. Clear the Portal cache and Oracle Internet Directory cache as follows:.
To clear Portal cache:
Shut down the Middle Tier.
opmnctl stopall
Delete the plsql
and session
directories in $ORACLE_HOME/Apache/modplsql/
cache on the Middle Tier.
Restart the Middle Tier.
opmnctl stopall
To clear Oracle Internet Directory cache:
Log in to Portal as a portal user.
Click Builder, click Admin, click Global Settings, and then click the SSO/OID tab.
Select the Refresh Cache for OID Parameters option.
Click Apply.
Problem 8
Browse buttons have Oracle9iAS Single Sign-On warnings.
Solution 8
See Solution 7.
This section lists the common errors that occur when accessing Oracle Web Conferencing using the standard SSL port.
Problem 9
The Oracle Web Conferencing portlet does not work properly.
When you attempt to access a conference from the main portal site, you are directed to an HTTP error page that displays the message: "Page cannot be found".
Solution 9
This can be fixed by editing the $ORACLE_HOME/j2ee/OC4J_UM/config/oc4j.properties
file on the Middle Tier. Change the oracle.mail.Portlet.httpsToWebmail
parameter to TRUE
to correct the problem. You may need to restart OC4J_IMEETING
.
This section lists the common errors that occur when accessing Oracle Files using the standard SSL port.
Problem 10
The files Portlet is not rendering in HTTPS. If you hover over the links they display as: http://
midtierhostname
:443/files/app/FileBrowsePage?event=ChangeDir&FBP=Private
This URL should begin with https
, not http.
Solution 10
Using the Enterprise Manager, ensure that the following server properties in FilesBaseServerConfiguration
: ApplicationHost
, ApplicationPort
and ApplicationUseHttps
are correct. If these correctly point to the reverse proxy URL and port, then the images should be generated correctly.
Navigate to
http://
midtierhost
:1810
Select the Middle Tier middle.
midtierhostname
iFS_
infrahostname
:1521:store.
infrahostname
:FILES
Server Configurations
FilesBaseServerConfiguration
Confirm the following parameters:
IFS.SERVER.APPLICATION.UIX.ApplicationPort = 443
IFS.SERVER.APPLICATION.UIX.ApplicationHost = midtierhostname
IFS.SERVER.APPLICATION.UIX.ApplicationUseHttps = true
This also fixes the Oracle Ultra Search portlet because Oracle Files and Oracle Ultra Search are closely linked together.
Problem 11
Logging in when two Oracle HTTP Servers are on the same host and using Microsoft Internet Explorer and SSL Configuration (from Metalink note: 235112.1).
When two Oracle9iAS HTTP Servers are running on a single computer, such as when the Infrastructure and Middle Tier are both installed on a single server, logging in to Portal is not possible when using a Microsoft Internet Explorer (MSIE) Browser. This has been verified with versions 5.5 and 6.0 of MSIE. The problem occurs when a browser redirect is issued from one port used by the Oracle9iAS Single Sign-On server, to the port used by Web Cache which is fronting the Oracle9iAS Portal. When MSIE receives the redirect it erroneously sets the Host: header with the first port rather than the destination port. This behavior is not exhibited by Netscape Navigator (versions 4.6, 4.7, 7.0). When this error occurs with MSIE, one of the following error messages may be displayed after an attempt to log in:
Error: Unexpected error encountered in wwsec_app_priv.process_signon (ORA-6502: PL/SQL: numeric or value error: character string buffer too small) (WWC-41417)
Refresh the page to bypass this error
Solution 11
Oracle cannot recommend a solution to this problem because it is internal to Microsoft Internet Explorer. The Oracle Collaboration Suite setup as described in Metalink note 235112.1 will bypass this issue.
Problem 12
Redirecting to the wrong port.
Attempting to access https://
midtierhostname
:4444/um/traffic_cop
directs to:
https://collabtng11.us.oracle.com/pls/orasso
to log in and then redirects back to:
https://midtierhostname>/um/traffic_cop
This fails with 404 because it is the wrong port. The redirect should be: https://collabtng11.us.oracle.com:4444/um/traffic_cop
This problem is not reproducible in Netscape. 7.1 /4.7 or Mozilla 1.6.
The problem is reproducible in Microsoft Internet Explorer only.
Solution 12
If using Web Cache as described in Chapter 4, "Configuring Web Cache for SSL" you will not encounter this problem.
This section lists the common errors that occur when accessing Calendar using the standard SSL port.
Problem 13
Referencing the old Oracle9iAS Single Sign-On site ID.
Solution 13
The Calendar issue may be corrected by changing the httpd.conf
file on the Middle Tier.
Comment out the include
line as shown in this example:
# General setup for the virtual host
# include "midtier_install_path/.../Apache/Apache/conf/modosso_https.conf"
Problem 14
Out of the box, the calendar Portlet does not work with HTTPS. You receive the error message: "This service is currently unavailable, please try later".
Solution 14
Apply the following patch:
3458344 Calendar: Patch Oracle Calendar Application System 9.0.4.1.6
Read the install instructions for the patch. To apply the patch:
Before you apply the patch, add the following lines in the file $ORACLE_HOME/config/jazn-data.xml
= = = = add to jazn-data.xml = = = = <jazn-policy> #Do not enter this line as it is just to show where to insert the text. <grant> <grantee> <codesource> <url>file:$ORACLE_HOME/webclient/lib/webclient_common.jar</url> </codesource> </grantee> <permission> <class>oracle.ias.repository.schemaimpl.CheckRepositoryPermission</class> <name>connectAs</name> </permission> </permissions> </grant>
After the 3458344 patch is applied, edit $ORACLE_HOME/j2ee/OC4J_Portal/applications/webclient-calendar/webclient-calendar-web/Portlets/Calendar.jsp.
Remove the following line because we are not using authentication:
System.setProperty("javax.net.ssl.KeyStorePassword", "Oracle_Wallet_
Password");
Edit the following line:
System.setProperty("javax.net.ssl.KeyStore",
"Oracle_Wallet_Client_Certificate_Path");
Replace the Oracle_Wallet_Client_Certificate_Path
with the path to Oracle Wallet, for example:
System.setProperty("javax.net.ssl.KeyStore", "/u02/mtier/Apache/Apache/conf/ssl.wlt/default"); $ORACLE_HOME/jlib/javax-ssl-1_1.jar $ORACLE_HOME/jlib/jssl-1_1.jar
Include the following Java Archive (JAR) files in the Oracle Containers for J2EE (OC4J) instance CLASSPATH.
For example, you could include JAR files in
$ORACLE_HOME/j2ee/OC4J_Portal/config/application.xml
by using the following lines:
<library path="$ORACLE_HOME/jlib/javax-ssl-1_1.jar"/> <library path="$ORACLE_HOME/jlib/jssl-1_1.jar"/>
On AIX, Solaris, and Linux systems, ensure that libnjssl9.so
is in the directory specified in the LD_LIBRARY_PATH environment variable. On HP-UX systems, ensure that libnjssl9.sl
is in the directory specified in the SHLIB_PATH
environment variable.
The following notes are available on the Metalink Web site, which you can access at
http://www.metalink.oracle.com
On this Web site, you can search for a particular note by using the note number.
235112.1: How to Configure Portal 9.0.2.x to enable access via HTTPS (SSL)
254790.1: Securing your Oracle Collaboration Suite installation
230164.1: Configuring Reverse Proxy in front of 9ias v2 SSO (Single Sign-On) server on UNIX
225502.1: HTTPClient.HTTPConnection.initDefaultSSLCredential and SSL Handshake Failed NZERROR=28874 when configuring SSL with Portal 9.0.2.x
251789.1: Configuring Middle Tier mod_osso Protected Applications for Both HTTP and HTTPS Access
205119.1: Unable to Login to Portal: ERROR WWC-41452