1. Administering Oracle Identity Cloud Service
  2. Configure Security Settings
  3. Manage Oracle Identity Cloud Service App Gateways
  4. Upgrade Path for High Availability Deployments

Upgrade Path for High Availability Deployments

Cloud Gate has updated its Block Cipher mode of operation which changes how data is encrypted. The change is being rolled out over three patch releases, R1, R2, and R3 so that you can upgrade without service interruptions.

Note:

This upgrade path only applies when you have enabled high availability and are using multi-node deployments.

If you are using high-availability with multiple App Gateways and using a load balancer, you must follow a specific upgrade path. If you perform the upgrades in the wrong order, or miss an upgrade, then you might have problems, such as:

  • Unexpected redirects to Oracle Identity Cloud Service login, because of Cloud Gate failing to decrypt its session cookie.
  • Failures after login, because of Cloud Gate being unable to decrypt its state cookie or the data returned by Oracle Identity Cloud Service.
  • Incomplete logouts, because of Cloud Gate being unable to decrypt the data sent by Oracle Identity Cloud Service.

R1 Patch Release

The R1 patch release encrypts using the old Block Cipher mode of operation, but it adds fail over logic to Cloud Gate's decryption operation. If Cloud Gate fails to decrypt using the current Block Cipher mode of operation, it tries again using the new Block Cipher mode of operation. This fail over allows Cloud Gate to maintain backward compatibility with session data created by older Cloud Gate clients, and support decrypting new session data created by Cloud Gate clients running the R2 or R3 patch release of this upgrade path.

R2 Patch Release

The R2 patch release encrypts and decrypts using the new Block Cipher mode of operation. Decryption supports failing over using the old Block Cipher mode of operation. The R2 patch release is not backward compatible with Cloud Gate clients from before the R1 patch release. These older Cloud Gate clients cannot decrypt the new session data created by R2 release Cloud Gate clients.

R3 Patch Release

The table shows how the patch release relates to the Cloud gate release, and to the App Gateway Docker image. Contact Oracle Support to open a support ticket and ask to have the appropriate patch made available to you.

Note:

Only the patch release downloads for R1 and R2 are currently available. When R3 is available, this page will be updated.
Patch Release Cloud Gate Release Cloud Gate Build App Gateway Docker
R1 22.1.49 22.1.49-2201171005 22.1.49-2201040708
R2 22.2.63 22.2.63-2203141550 22.2.57-2202180045
R3 To be announced To be announced To be announced

Configuration Override

You can disable the encryption change in Cloud Gate using the configuration setting:encryptWithGcm. This is a boolean setting that is set to false to disable the encryption change.

After making the change, restart the NGINX server. For example, in a WTSS deployment, use

/u01/data/idcs-cloudgate/bin/cg-reload.

Example of a cloudgate.config file

{
  "cloudgateConfig" : {
    "version"                 : "2.9",
    "comment"                 : "Sample Cloud Gate Configuration (HTTPS)",
    "enabled"                 : true,
...
    "general" : {
      "encryptWithGcm": false,
...
    },
...
}

Troubleshooting

This section describes some of the errors you might see if the Cloud Gate deployment mixes incompatible releases, for example, patching directly to R2, or to R3, without patching first to R1.

Failed Login

After successfully signing into Oracle Identity Cloud Service, the Cloud Gate callback (cloudgate/v1/oauth2/callback) will return 401 if Cloud Gate is unable to decrypt the State cookie.

Sample Logging from cg-trace-main.log

# First, the Cloud Gate State cookie ( ORA_OCIS_CG_ST_ ) will fail to decrypt:
[2022-04-07T18:42:34.618617+00:00] [trace3] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [390] [decryptSessionData] [] decryptSessionData: using explicit crypto key
[2022-04-07T18:42:34.618693+00:00] [crit] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [628] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - TUPLE: all keys failed (may be expected if old data)
[2022-04-07T18:42:34.618705+00:00] [crit] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [643] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - prevSHA256=9E30456BA34D76BD5CCBFF74DBF03C734EF4097B1A8725B146E76E99000984B0
[2022-04-07T18:42:34.618713+00:00] [crit] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [645] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - currSHA256=9E30456BA34D76BD5CCBFF74DBF03C734EF4097B1A8725B146E76E99000984B0
[2022-04-07T18:42:34.618722+00:00] [crit] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [647] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - nextSHA256=321846513AE2657C6E0AA36EDDE38AFE8BD1B10169D204CF495EDFFE50F1AEC2
[2022-04-07T18:42:34.618733+00:00] [crit] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [649] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - expiry-loc-svr=2022-08-05 17:39:05
[2022-04-07T18:42:34.618741+00:00] [crit] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [651] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - expiry-loc-fix=2022-08-05 17:39:05
[2022-04-07T18:42:34.618748+00:00] [crit] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [653] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - expiry-loc-pad=2022-08-05 17:41:06
[2022-04-07T18:42:34.618758+00:00] [fail] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [438] [decryptSessionData] [ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621] decryptSessionData: FAIL - all keys failed - SESSIONKEY(REGION-CRYPTO) dataKeyID=9E30456BA34D76BD5CCBFF74DBF03C734EF4097B1A8725B146E76E99000984B0
[2022-04-07T18:42:34.618786+00:00] [fail] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [EncodingEncryptor.cpp] [104] [decrypt] [ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664] decrypt failed (bad key/data?)
[2022-04-07T18:42:34.618793+00:00] [trace3] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [EncodingEncryptor.cpp] [108] [decrypt] [] decrypt: b64=547 cry=410 out=0 bytes
[2022-04-07T18:42:34.618801+00:00] [trace2] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [CookieBase.cpp] [117] [initializeFromRequest] [] Cookie decryption failed [name=ORA_OCIS_CG_ST_cgdev-tenant1_cgdev-tenant1.cgdevcloud.test]
[2022-04-07T18:42:34.618815+00:00] [trace2] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [CookieManager.cpp] [41] [createCookie] [] Added cookie [name=ORA_OCIS_CG_ST_cgdev-tenant1_cgdev-tenant1.cgdevcloud.test] [type=REQUEST_STATE] [initialized=0] [existsInRequest=1] [valid=0] [last-status=ERR_Decrypt_Failed] to CookieManager
 
# Next, the ID Token from IDCS will fail to decrypt:
[2022-04-07T18:42:34.624873+00:00] [trace3] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [OAuthFlows.cpp] [3398] [getIdTokenInImplicitFlow] [] IDCS_CG_ENC isSecretKey=1
[2022-04-07T18:42:34.625048+00:00] [trace3] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [628] [logSessionKey] [] SESSIONKEY(REGION-SECRET) - - TUPLE: attempting decrypt with keys
[2022-04-07T18:42:34.625061+00:00] [trace3] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [637] [logSessionKey] [] SESSIONKEY(REGION-SECRET) - - currSHA256=
[2022-04-07T18:42:34.625069+00:00] [trace3] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [395] [decryptSessionData] [] decryptSessionData: using explicit regional secret
[2022-04-07T18:42:34.625154+00:00] [crit] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [628] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-SECRET) - - TUPLE: all keys failed (may be expected if old data)
[2022-04-07T18:42:34.625168+00:00] [crit] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [637] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-SECRET) - - currSHA256=
[2022-04-07T18:42:34.625177+00:00] [fail] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [SessionKeyManager.cpp] [438] [decryptSessionData] [ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2641 ORA_CG_2642 ORA_CG_1621] decryptSessionData: FAIL - all keys failed - SESSIONKEY(REGION-SECRET) dataKeyID=28C0F2CE5E3B385F9F28E7BED8EC26C5B171E1D65E66FCD2400112EB6B743EAD
[2022-04-07T18:42:34.625220+00:00] [fail] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [EncodingEncryptor.cpp] [104] [decrypt] [ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2641 ORA_CG_2642 ORA_CG_1621 ORA_CG_1664] decrypt failed (bad key/data?)
[2022-04-07T18:42:34.625225+00:00] [trace3] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [EncodingEncryptor.cpp] [108] [decrypt] [] decrypt: b64=2748 cry=2061 out=0 bytes
[2022-04-07T18:42:34.625233+00:00] [trace1] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [OAuthFlows.cpp] [3421] [getIdTokenInImplicitFlow] [ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2641 ORA_CG_2642 ORA_CG_1621 ORA_CG_1664 ORA_CG_2551] id_token decode-and-decryption failed
[2022-04-07T18:42:34.625246+00:00] [trace1] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [OAuthFlows.cpp] [3683] [completeOauthBrowserFlow] [ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2641 ORA_CG_2642 ORA_CG_1621 ORA_CG_1664 ORA_CG_2551 ORA_CG_2534] Could not get ID token
 
# Cloud Gate will attempt to retry the login flow, but this fails as the State cookie failed to decrypt:
[2022-04-07T18:42:34.625251+00:00] [trace1] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [OAuthFlows.cpp] [3686] [completeOauthBrowserFlow] [] Retrying /authorize
[2022-04-07T18:42:34.625255+00:00] [trace2] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [OAuthFlows.cpp] [3314] [retryOauthBrowserFlow] [] Entry
[2022-04-07T18:42:34.625263+00:00] [trace1] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [OAuthFlows.cpp] [3276] [validateStateCookie] [ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2302 ORA_CG_2650 ORA_CG_2653 ORA_CG_2651 ORA_CG_1621 ORA_CG_1664 ORA_CG_2652 ORA_CG_2656 ORA_CG_2641 ORA_CG_2642 ORA_CG_1621 ORA_CG_1664 ORA_CG_2551 ORA_CG_2534 ORA_CG_2539] State cookie invalid
[2022-04-07T18:42:34.625268+00:00] [trace2] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [OAuthFlows.cpp] [3347] [retryOauthBrowserFlow] [] Second retry
[2022-04-07T18:42:34.625272+00:00] [trace2] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [OAuthFlows.cpp] [3354] [retryOauthBrowserFlow] [] Exit, success=0
[2022-04-07T18:42:34.625284+00:00] [trace3] [P:290] [T:0] [E:1.0448b21d2f58bc605049585de68f149d;kXjE] [PlatformUtil.cpp] [602] [addResponseHeader] [] www-authenticate: Bearer error="invalid_session", error_description="Authentication Failure"

Login Loop

If there is an existing Cloud Gate Session, or Oracle Identity Cloud Service SSO session, or both, you might see a login loop, similar to the loop caused by Cloud Gate Session cookies being too large.

When Cloud Gate cannot decrypt the existing Cloud Gate Session cookie, it will redirect to Oracle Identity Cloud Service to kick off authentication (see the /oauth2/v1/authorize request).

The initial request to /smoke/test/oauth/echo goes to a Cloud Gate node that hasn't been patched to R1. As it cannot detect a valid Cloud Gate Session, the unpatched Cloud Gate redirects to Oracle Identity Cloud Service to log in.

The Cloud Gate callback goes to the R2 Cloud Gate node. As the R2 release supports both Block Cipher modes of operation, it is able to decrypt the Cloud Gate State cookie and create a new Cloud Gate Session (encrypted using the new Block Cipher mode of operation).

The /smoke/test/oauth/echo replay request goes to the unpatched Cloud Gate node. And, again, it fails to decrypt the Cloud Gate Session cookie.

This is the login loop.

Sample Logging from cg-trace-main.log

#  The login loop is caused by the Cloud Gate Session cookie ( ORA_OCIS_CG_SESSION_ ) failing to decrypt:
[2022-04-07T20:10:04.971799+00:00] [trace3] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [357] [decryptSessionData] [] decryptSessionData: using default regional session key
[2022-04-07T20:10:04.971815+00:00] [trace3] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [628] [logSessionKey] [] SESSIONKEY(REGION-CRYPTO) - - TUPLE: attempting decrypt with keys
[2022-04-07T20:10:04.971823+00:00] [trace3] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [643] [logSessionKey] [] SESSIONKEY(REGION-CRYPTO) - - prevSHA256=9E30456BA34D76BD5CCBFF74DBF03C734EF4097B1A8725B146E76E99000984B0
[2022-04-07T20:10:04.971832+00:00] [trace3] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [645] [logSessionKey] [] SESSIONKEY(REGION-CRYPTO) - - currSHA256=9E30456BA34D76BD5CCBFF74DBF03C734EF4097B1A8725B146E76E99000984B0
[2022-04-07T20:10:04.971840+00:00] [trace3] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [647] [logSessionKey] [] SESSIONKEY(REGION-CRYPTO) - - nextSHA256=321846513AE2657C6E0AA36EDDE38AFE8BD1B10169D204CF495EDFFE50F1AEC2
[2022-04-07T20:10:04.971853+00:00] [trace3] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [649] [logSessionKey] [] SESSIONKEY(REGION-CRYPTO) - - expiry-loc-svr=2022-08-05 17:39:05
[2022-04-07T20:10:04.971871+00:00] [trace3] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [651] [logSessionKey] [] SESSIONKEY(REGION-CRYPTO) - - expiry-loc-fix=2022-08-05 17:39:05
[2022-04-07T20:10:04.971879+00:00] [trace3] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [653] [logSessionKey] [] SESSIONKEY(REGION-CRYPTO) - - expiry-loc-pad=2022-08-05 17:41:06
[2022-04-07T20:10:04.971887+00:00] [trace3] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [390] [decryptSessionData] [] decryptSessionData: using explicit crypto key
[2022-04-07T20:10:04.971978+00:00] [crit] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [628] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - TUPLE: all keys failed (may be expected if old data)
[2022-04-07T20:10:04.971988+00:00] [crit] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [643] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - prevSHA256=9E30456BA34D76BD5CCBFF74DBF03C734EF4097B1A8725B146E76E99000984B0
[2022-04-07T20:10:04.971996+00:00] [crit] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [645] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - currSHA256=9E30456BA34D76BD5CCBFF74DBF03C734EF4097B1A8725B146E76E99000984B0
[2022-04-07T20:10:04.972004+00:00] [crit] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [647] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - nextSHA256=321846513AE2657C6E0AA36EDDE38AFE8BD1B10169D204CF495EDFFE50F1AEC2
[2022-04-07T20:10:04.972027+00:00] [crit] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [649] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - expiry-loc-svr=2022-08-05 17:39:05
[2022-04-07T20:10:04.972034+00:00] [crit] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [651] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - expiry-loc-fix=2022-08-05 17:39:05
[2022-04-07T20:10:04.972041+00:00] [crit] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [653] [logSessionKey] [] CRITICAL - SESSIONKEY(REGION-CRYPTO) - - expiry-loc-pad=2022-08-05 17:41:06
[2022-04-07T20:10:04.972050+00:00] [fail] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [SessionKeyManager.cpp] [438] [decryptSessionData] [ORA_CG_2302 ORA_CG_2650 ORA_CG_1621] decryptSessionData: FAIL - all keys failed - SESSIONKEY(REGION-CRYPTO) dataKeyID=9E30456BA34D76BD5CCBFF74DBF03C734EF4097B1A8725B146E76E99000984B0
[2022-04-07T20:10:04.972062+00:00] [fail] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [EncodingEncryptor.cpp] [104] [decrypt] [ORA_CG_2302 ORA_CG_2650 ORA_CG_1621 ORA_CG_1664] decrypt failed (bad key/data?)
[2022-04-07T20:10:04.972067+00:00] [trace3] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [EncodingEncryptor.cpp] [108] [decrypt] [] decrypt: b64=3174 cry=2380 out=0 bytes
[2022-04-07T20:10:04.972074+00:00] [trace2] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [CookieBase.cpp] [117] [initializeFromRequest] [] Cookie decryption failed [name=ORA_OCIS_CG_SESSION_cgdev-tenant1_cgdev-tenant1.cgdevcloud.test]
[2022-04-07T20:10:04.972087+00:00] [trace2] [P:290] [T:0] [E:1.ae9c054fa6fe4419bc5e1857e94958ed;kXjE] [CookieManager.cpp] [41] [createCookie] [] Added cookie [name=ORA_OCIS_CG_SESSION_cgdev-tenant1_cgdev-tenant1.cgdevcloud.test] [type=SESSION] [initialized=0] [existsInRequest=1] [valid=0] [last-status=ERR_Decrypt_Failed] to CookieManager

Cross-Domain Log out Failure

The cross-domain logout flow might fail when third party cookies are disabled and there is a Cloud Gate NGINX server which has been patched to R2, and two Cloud Gate NGINX servers which haven't been patched.

When the R2 server initiates logout, the unpatched nodes fail to decrypt the LOGOUT_DATA post body submitted to Cloud Gate by Oracle Identity Cloud Service.

The cg-trace-main.log file notes decryption failures, such as:

  • all keys failed (may be expected if old data)
  • decrypt failed (bad key/data?)