A Troubleshooting

This appendix provides solutions to some problems and errors that you may encounter with your SSL configuration on Oracle Collaboration Suite. This appendix contains the following sections:

• Section A.1, "Oracle9iAS Portal"

• Section A.2, "Oracle Webmail"

• Section A.3, "Oracle Web Conferencing"

• Section A.4, "Oracle Files"

• Section A.5, "Oracle Calendar"

• Section A.6, "References"

A.1 Oracle9iAS Portal

This section lists the common errors that occur when accessing Oracle9iAS Portal using the standard SSL port.

Problem1

WWC-41439 error when trying to access Portal using the 443 SSL port with URL: https://midtierhostname/pls/portal. This is a known issue with the ptlasst.sh script inserting SSL port 443 into ENABLER tables.

Solution1

Update the tables manually.

For example, login to SQL*Plus as the portal schema:

SQL> SELECT LSNR_TOKEN,site_id FROM wwsec_enabler_config_info$; 
LSNR_TOKEN SIT E_ID xyz.us.oracle.com:7777 1324 xyz.us.oracle.com:443 1329 
SQL> UPDATE wwsec_enabler_config_info$ SET LSNR_TOKEN = 'midtierhost.domain.com' WHERE site_id = 1329; 
SQL> commit; 

You should now be able to log in to the Middle Tier by using the following URL

https://midtierhostname

Problem 2

The Portlet could not be contacted. SSL Handshake Failed NZERROR=28858

Note: You may encounter this error while attempting to get to https://midtierhostname/pls/portal

Solution 2

Check $ORACLE_HOME/Webcache/logs/event_log on the Middle Tier. Then check the accuracy of the entry that you created in the web.xml file as described in Section 7.2.

Problem 3

The Portlet could not be contacted. SSL Handshake Failed NZERROR=28874

Note: You may still receive the following error while attempting to get to https://midtierhostname/pls/portal

Solution 3

Check $ORACLE_HOME/Webcache/logs/event_log on the Middle Tier. This is a known issue with the http_client.jar file.

You can fix this by following Metalink note: 225502.1. This will require downloading and applying a patch.

Problem 4

The address from which this authentication request was made does not match your IP address. Notify your administrator if you believe this message to be in error. (WWC-41452)

Note: Users encounter this error when attempting to log in to Portal only.

Solution 4

You can turn off the IP Check feature by running the following SQL commands:

sqlplus portal schema/portal password
SQL>SELECT url_cookie_ip_check FROM wwsec_enabler_config_info$;

If it is not set to N, then run the following:

SQL>UPDATE wwsec_enabler_config_info$ SET url_cookie_ip_check='N';
SQL>commit;
SQL>exit

Problem 5

The style sheet was the only component on the Portal page that could not be secured.

Solution 5

This style sheet issue is corrected by the 9.0.4.2.0 patch set.

Problem 6

Incorrect rendering while connecting to http://midtierhostname.domain.com:443

The header link in the e-mail portlet will open the following URL:

http://hostname.domain.com:443

The URL does not display properly. The first time you access the URL it may display properly, but subsequent accesses will not display properly.

Solution 6

Modify the $ORACLE_HOME/j2ee/OC4J_UM/config/oc4j.properties file on the Middle Tier. Set oracle.mail.client.portlet.HTTPStowebmail=TRUE. Then stop and restart the Middle Tier by running the following commands:

opmnctl stopall
opmnctl startall

A.2 Oracle Webmail

This section lists the common errors that occur when accessing Oracle Webmail using the standard SSL port.

Problem 7

In Traffic_cop, if you login as orcladmin or as an administrative user you have the option to create new users in Oracle WebMail. If the user is not already created in Oracle Internet Directory, then the Web client will prompt you to create the user first and supply you with a link to Oracle Internet Directory Delegated Administration Services. This link is incorrect.

Solution 7

Ensure that the URL for Delegated Administration Services (DAS) is configured correctly as explained in Section 6.2. Clear the Portal cache and Oracle Internet Directory cache as follows:.

To clear Portal cache:

1. Shut down the Middle Tier.

   opmnctl stopall
   
   

2. Delete the plsql and session directories in $ORACLE_HOME/Apache/modplsql/cache on the Middle Tier.

3. Restart the Middle Tier.

   opmnctl stopall
   
   

To clear Oracle Internet Directory cache:

1. Log in to Portal as a portal user.

2. Click Builder, click Admin, click Global Settings, and then click the SSO/OID tab.

3. Select the Refresh Cache for OID Parameters option.

4. Click Apply.

Problem 8

Browse buttons have Oracle9iAS Single Sign-On warnings.

Solution 8

See Solution 7.

A.3 Oracle Web Conferencing

This section lists the common errors that occur when accessing Oracle Web Conferencing using the standard SSL port.

Problem 9

The Oracle Web Conferencing portlet does not work properly.

When you attempt to access a conference from the main portal site, you are directed to an HTTP error page that displays the message: "Page cannot be found".

Solution 9

This can be fixed by editing the $ORACLE_HOME/j2ee/OC4J_UM/config/oc4j.properties file on the Middle Tier. Change the oracle.mail.Portlet.httpsToWebmail parameter to TRUE to correct the problem. You may need to restart OC4J_IMEETING.

A.4 Oracle Files

This section lists the common errors that occur when accessing Oracle Files using the standard SSL port.

Problem 10

The files Portlet is not rendering in HTTPS. If you hover over the links they display as: http://midtierhostname:443/files/app/FileBrowsePage?event=ChangeDir&FBP=Private

This URL should begin with https, not http.

Solution 10

Using the Enterprise Manager, ensure that the following server properties in FilesBaseServerConfiguration: ApplicationHost, ApplicationPort and ApplicationUseHttps are correct. If these correctly point to the reverse proxy URL and port, then the images should be generated correctly.

Navigate to

http://midtierhost:1810

Select the Middle Tier middle.midtierhostname

iFS_infrahostname:1521:store.infrahostname:FILES

Server Configurations

FilesBaseServerConfiguration

Confirm the following parameters:

IFS.SERVER.APPLICATION.UIX.ApplicationPort = 443
IFS.SERVER.APPLICATION.UIX.ApplicationHost = midtierhostname
IFS.SERVER.APPLICATION.UIX.ApplicationUseHttps = true

This also fixes the Oracle Ultra Search portlet because Oracle Files and Oracle Ultra Search are closely linked together.

Problem 11

Logging in when two Oracle HTTP Servers are on the same host and using Microsoft Internet Explorer and SSL Configuration (from Metalink note: 235112.1).

When two Oracle9iAS HTTP Servers are running on a single computer, such as when the Infrastructure and Middle Tier are both installed on a single server, logging in to Portal is not possible when using a Microsoft Internet Explorer (MSIE) Browser. This has been verified with versions 5.5 and 6.0 of MSIE. The problem occurs when a browser redirect is issued from one port used by the Oracle9iAS Single Sign-On server, to the port used by Web Cache which is fronting the Oracle9iAS Portal. When MSIE receives the redirect it erroneously sets the Host: header with the first port rather than the destination port. This behavior is not exhibited by Netscape Navigator (versions 4.6, 4.7, 7.0). When this error occurs with MSIE, one of the following error messages may be displayed after an attempt to log in:

Error: Unexpected error encountered in wwsec_app_priv.process_signon (ORA-6502: PL/SQL: numeric or value error: character string buffer too small) (WWC-41417)

Refresh the page to bypass this error

Solution 11

Oracle cannot recommend a solution to this problem because it is internal to Microsoft Internet Explorer. The Oracle Collaboration Suite setup as described in Metalink note 235112.1 will bypass this issue.

Problem 12

Redirecting to the wrong port.

Attempting to access https://midtierhostname:4444/um/traffic_cop

directs to:

https://collabtng11.us.oracle.com/pls/orasso 

to log in and then redirects back to:

https://midtierhostname>/um/traffic_cop

This fails with 404 because it is the wrong port. The redirect should be: https://collabtng11.us.oracle.com:4444/um/traffic_cop

This problem is not reproducible in Netscape. 7.1 /4.7 or Mozilla 1.6.

The problem is reproducible in Microsoft Internet Explorer only.

Solution 12

If using Web Cache as described in Chapter 4, "Configuring Web Cache for SSL" you will not encounter this problem.

A.5 Oracle Calendar

This section lists the common errors that occur when accessing Calendar using the standard SSL port.

Problem 13

Referencing the old Oracle9iAS Single Sign-On site ID.

Solution 13

The Calendar issue may be corrected by changing the httpd.conf file on the Middle Tier.

Comment out the include line as shown in this example:

# General setup for the virtual host
# include "midtier_install_path/.../Apache/Apache/conf/modosso_https.conf"

Problem 14

Out of the box, the calendar Portlet does not work with HTTPS. You receive the error message: "This service is currently unavailable, please try later".

Solution 14

Apply the following patch:

3458344 Calendar: Patch Oracle Calendar Application System 9.0.4.1.6 

Read the install instructions for the patch. To apply the patch:

1. Before you apply the patch, add the following lines in the file $ORACLE_HOME/config/jazn-data.xml

   = = = = add to jazn-data.xml = = = = 
   <jazn-policy> #Do not enter this line as it is just to show where to insert the text.
   <grant>
   <grantee>
   <codesource>
   <url>file:$ORACLE_HOME/webclient/lib/webclient_common.jar</url>
   </codesource>
   </grantee>
   <permission>
   <class>oracle.ias.repository.schemaimpl.CheckRepositoryPermission</class>
   <name>connectAs</name>
   </permission>
   </permissions>
   </grant>
   
   

2. After the 3458344 patch is applied, edit $ORACLE_HOME/j2ee/OC4J_Portal/applications/webclient-calendar/webclient-calendar-web/Portlets/Calendar.jsp.

   Remove the following line because we are not using authentication:

   System.setProperty("javax.net.ssl.KeyStorePassword", "Oracle_Wallet_
   

   Password"); 
   
   

   Edit the following line:

   System.setProperty("javax.net.ssl.KeyStore",
   

   "Oracle_Wallet_Client_Certificate_Path");
   
   

   Replace the Oracle_Wallet_Client_Certificate_Path with the path to Oracle Wallet, for example:

   System.setProperty("javax.net.ssl.KeyStore",
   "/u02/mtier/Apache/Apache/conf/ssl.wlt/default");
   $ORACLE_HOME/jlib/javax-ssl-1_1.jar
   $ORACLE_HOME/jlib/jssl-1_1.jar
   
   

   Include the following Java Archive (JAR) files in the Oracle Containers for J2EE (OC4J) instance CLASSPATH.

   For example, you could include JAR files in

   $ORACLE_HOME/j2ee/OC4J_Portal/config/application.xml
   
   

   by using the following lines:

   <library path="$ORACLE_HOME/jlib/javax-ssl-1_1.jar"/>
   <library path="$ORACLE_HOME/jlib/jssl-1_1.jar"/>
   
   

   On AIX, Solaris, and Linux systems, ensure that libnjssl9.so is in the directory specified in the LD_LIBRARY_PATH environment variable. On HP-UX systems, ensure that libnjssl9.sl is in the directory specified in the SHLIB_PATH environment variable.

A.6 References

The following notes are available on the Metalink Web site, which you can access at

http://www.metalink.oracle.com

On this Web site, you can search for a particular note by using the note number.

• 235112.1: How to Configure Portal 9.0.2.x to enable access via HTTPS (SSL)

• 254790.1: Securing your Oracle Collaboration Suite installation

• 230164.1: Configuring Reverse Proxy in front of 9ias v2 SSO (Single Sign-On) server on UNIX

• 225502.1: HTTPClient.HTTPConnection.initDefaultSSLCredential and SSL Handshake Failed NZERROR=28874 when configuring SSL with Portal 9.0.2.x

• 251789.1: Configuring Middle Tier mod_osso Protected Applications for Both HTTP and HTTPS Access

• 205119.1: Unable to Login to Portal: ERROR WWC-41452