H Troubleshooting Oracle Fusion Middleware

This appendix provides information on how to troubleshoot problems that you might encounter when using Oracle Fusion Middleware. It contains the following sections:

H.1 Diagnosing Oracle Fusion Middleware Problems

Oracle Fusion Middleware components generate log files containing messages that record all types of events, including startup and shutdown information, errors, warning messages, access information on HTTP requests, and additional information. The log files can be used to identify and diagnose problems. See Chapter 12, "Managing Log Files and Diagnostic Data" for more information about using and reading log files.

Oracle Fusion Middleware includes a Diagnostic Framework which aids in detecting, diagnosing, and resolving problems. The problems that are targeted in particular are critical errors such as those caused by code bugs, metadata corruption, and customer data corruption, deadlocked threads, and inconsistent state.

When a critical error occurs, it is assigned an incident number, and diagnostic data for the error (such as log files) are immediately captured and tagged with this number. The data is then stored in the Automatic Diagnostic Repository (ADR), where it can later be retrieved by incident number and analyzed. See Chapter 13, "Diagnosing Problems" for more information about the Diagnostic Framework.

H.2 Common Problems and Solutions

This section describes common problems and solutions. It contains the following topics:

H.2.1 Running out of Data Source Connections

If the database performance has slowed or you receive the following message in the Oracle WebLogic Server log files, you may have leaks in the data source connections:

No resources currently available in pool datasource name
Any product functionality that depend on the datasource will not function as it can't connect database to get required data.

If you receive this message, monitor the connection usage from the Administration Console data source monitoring page:

  1. From Domain Structure, expand Services, then Data Sources.

  2. Click the data source that you want to monitor.

  3. Select the Monitoring tab, then the Statistics tab.

  4. If the table does not display Active Connection Current Count, click Customize this table.

  5. In Column Display, select Active Connection Current Count and move it from the Available to the Chosen box. Click Apply.

  6. In the table, note the number in the Active Connection Current Count column.

If the active current count for a data source keeps increasing and does not go down, this data source is leaking connections. Contact Oracle Support.

H.2.2 Using a Different Version of Spring

When you configure a Managed Server with JRF, Spring 2.0.6 is installed and is placed in the Oracle WebLogic Server system classpath. If a custom application running in a JRF environment requires a different version of Spring, you must use the Filtering ClassLoader mechanism to specify the version of Spring.

Oracle WebLogic Server provides the FilteringClassLoader mechanism so that you can configure deployment descriptors to explicitly specify that certain packages should always be loaded from the application, rather than being loaded by the system classloader. This allows you to use alternate versions of applications such as Spring or Ant.

For more information about using the FilteringClassLoader mechanism, see "Using a Filtering ClassLoader" in Developing Applications for Oracle WebLogic Server.

H.2.3 ClassNotFound Errors When Starting Managed Servers

If a Managed Server is started by Node Manager (as is the case when the servers are started by the Oracle WebLogic Server Administration Console or Fusion Middleware Control), you may receive a ClassNotFound error if Node Manager has not been configured to use the start scripts when starting Managed Servers. See Section 2.7.1 for information about resolving this problem.

H.3 Troubleshooting SSL

This section describes common problems and solutions when working with SSL configuration. It contains the following topics:

H.3.1 Components May Enable All Supported Ciphers

You should be aware that when no cipher is explicitly configured, some 12c (12.1.3) components enable all supported SSL ciphers including DH_Anon (Diffie-Hellman Anonymous) ciphers.

At this time, Oracle HTTP Server is the only component known to set ciphers like this.

Configure the components with the desired cipher(s) if DH_Anon is not wanted.

H.3.2 SSL Certificate Chain Required on Certain Browsers

When you configure SSL for Oracle HTTP Server, you may need to import the entire certificate chain (rootCA, Intermediate CAs and so on).

Certain browsers, for example Internet Explorer, require that the entire certificate chain be imported to the browsers for SSL handshake to work. If your certificate was issued by an intermediate CA, you will need to ensure that the complete chain of certificates is available on the browser or the handshake will fail. If an intermediate certificate in the chain expires, it must be renewed along with all the certificates in the chain ((such as the OHS server certificate).

H.3.3 keyUsage Extension Required for Certificates in JDK7

In JDK6, a self-signed certificate can contain the keyUsage extension without enabling the keyCertSign bit. This is rejected in JDK7.

Under JDK7, if using self-signed CA certificates, ensure that the keyCertSign bit of the keyUsage extension is set. Otherwise connections fail with an exception such as:

0:weblogic.common.ResourceException: Could not create pool connection. The
DBMS driver exception was: IO Error:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with any
of the trust anchors

The key usage extension defines the purpose (for example enciphering, signature, certificate signing) of the key contained in the certificate.

Conforming CAs must include this extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs.

The keyCertSign bit is asserted when the subject public key is used for verifying signatures on public key certificates. When generating self-signed CA certificates in JDK7, therefore, you must ensure that the keyCertSign bit of keyUsage is on.

You can achieve this, for example, by:

  1. Creating a self-signed JKS keystore with option ku:c=keyCertSign, and

  2. migrating the certificate from the keystore to the root wallet which will be used by the SSL DB connection

    orapki wallet jks_to_pkcs12 -wallet ./ -pwd password -keystore ./ewallet.jks-jkspwd password

H.4 Troubleshooting FIPS Configuration

For details about this topic, see Section 8.5.

H.5 Need More Help?

You can find more solutions on My Oracle Support, http://support.oracle.com. If you do not find a solution for your problem, log a service request.

You can also use the Remote Diagnostic Agent, as described in Section H.5.1.

H.5.1 Using Remote Diagnostic Agent

Remote Diagnostic Agent (RDA) is a command-line diagnostic tool that provides a comprehensive picture of your environment. Additionally, RDA can provide recommendations on various topics, for example configuration and security. This aids you and Oracle Support in resolving issues.

RDA is designed to be as unobtrusive as possible; it does not modify systems in any way. A security filter is provided if required.

For more information about RDA, see the readme file, which is located at:

(UNIX) ORACLE_HOME/oracle_common/rda/README_Unix.txt
(Windows) ORACLE_HOME\oracle_common\rda\README_Windows.txt