Pages

Wednesday, July 25, 2012

Enabling the SSL Oracle Identity Manager Design Console

To enable the SSL for Oracle Identity Manager Design Console divided into two sections. They are

1.    Configuring the OIM Design Console


       The following task's needs to be performed to enable the SSL for Oracle Identity Manager Design Console. They are

1.1    Copy Jar Files


1.1.1    Login into the OIM Server.
1.1.2    Copy the webserviceclient+ssl.jar and cryptoj.jar from the $WLS_HOME/lib to      $OIM_ORACLE_HOME/designconsole/ext directory

1.2    Configuring classpath.sh


1.2.1    Go to the Go to the $OIM_ORACLE_HOME/designconsole directory and edit the classpath.sh file and add the following content before $CLASSPATH. They are

         :./ext/cryptoj.jar:./ext/webserviceclient+ssl.jar

1.2.2       Define the TRUSTSTORE_LOCATION variable in the classpath.sh file.

          TRUSTSTORE_LOCATION = "OIM Trust Store.jks"

          export TRUSTSTORE_LOCATION

1.3    Configuring xlconfig.xml


1.3.1     Go to the $OIM_ORACLE_HOME/designconsole/config directory and edit the xlconfig.xml file.

1.3.2     Modify the following parameters

<ApplicationURL>https://localhost:<sslport>/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>

<java.naming.provider.url>t3s://localhost:<sslport>/oim</java.naming.provider.url>

1.4    Configuring xlclient.sh


1.4.1    Go to the Go to the $OIM_ORACLE_HOME/designconsole/ directory and edit the xlclient.sh file and add the following content if your using Self Signed Cert or root certificate is not trusted authority provider.

1.4.1.1    Turn off the SSL Constraints
              -Dweblogic.security.SSL.enforceConstraints=off \

1.4.1.2    Turn Off the Host Name Verification
        -Dweblogic.security.SSL.ignoreHostnameVerification=true \

1.4.1.3    Turn Off the default Random Number Generator.      
       The changing default Random Number generator shown in the log as follows

       <Jul 25, 2012 11:51:50 AM PDT> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>

     To turn of the off the random generator number in the log add the following flag.

    -Dweblogic.security.allowCryptoJDefaultPRNG=true \

    
1.4.1.4    Debug the SSL Parameters    
       -Dssl.debug=true \

     -Dweblogic.StdoutDebugEnabled=true \

1.5    Sample xlclient.sh file


After configuring the xlclient.sh file and the file content should be following format.

    java -DXL.ExtendedErrorOptions=TRUE \
   -DXL.HomeDir=. -Djava.security.policy=config/xl.policy \
   -Djava.security.manager -Djava.security.auth.login.config=config/authwl.conf \
   -Dlog4j.configuration=config/log.properties \
   -Dweblogic.security.SSL.trustedCAKeyStore=$TRUSTSTORE_LOCATION \
   -Dweblogic.security.SSL.enforceConstraints=off \
   -Dweblogic.security.SSL.ignoreHostnameVerification=true \
   -Dweblogic.security.allowCryptoJDefaultPRNG=true \
   -Dssl.debug=true \
   -Dweblogic.StdoutDebugEnabled=true \
   -cp $CLASSPATH com.thortech.xl.client.base.tcAppWindow -server server

2.    Common Errors

2.1    crptoj.jar file missing in the designconsole/ext directory


The cryptoj.jar file is available in the $WLS_HOME/lib directory. Copy the cryptoj.jar file from $WLS_HOME/lib to designconsole/ext directory.
                  If the cryptoj.jar file is not available in the $WLS_HOME/lib directory, please contact the oracle support and refer the article id: 1422084.1.

2.2    javax.security.auth.login.LoginException: java.lang.RuntimeException: Failed to instantiate MD5 SecureRandom: Unsupported algorithm


The javax.security.auth.login.LoginException: java.lang.RuntimeException: Failed to instantiate MD5 SecureRandom: Unsupported algorithm exception is thrown after clicking the Login Button in the Oracle Identity Manager Design Console.

Error:

Error Keyword: DAE.LOGON_DENIED
Description: Invalid Login.
Remedy: Contact your system administrator.
Action: E
Severity: H
Help URL:
Detail:
javax.security.auth.login.LoginException: java.lang.RuntimeException: Failed to instantiate MD5 SecureRandom: Unsupported algorithm, MD5Random, selected for FIPS140 mode: FIPS140_SSL
 at com.certicom.tls.interfaceimpl.TLSSystem.getRandomNumberGenerator(Unknown Source)
 at com.certicom.tls.record.handshake.MessageRandom.initialize(Unknown Source)
 at com.certicom.tls.record.handshake.MessageRandom.<init>(Unknown Source)
 at com.certicom.tls.record.handshake.HandshakeHandler.startHandshake(Unknown Source)
 at com.certicom.tls.interfaceimpl.TLSConnectionImpl.startHandshake(Unknown Source)
 at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
 at com.certicom.tls.record.WriteHandler.write(Unknown Source)
 at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
 at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
 at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
 at java.io.DataOutputStream.flush(DataOutputStream.java:107)
 at weblogic.rjvm.t3.MuxableSocketT3.connect(MuxableSocketT3.java:406)
 at weblogic.rjvm.t3.ConnectionFactoryT3S.createConnection(ConnectionFactoryT3S.java:44)
 at weblogic.rjvm.ConnectionManager.createConnection(ConnectionManager.java:1784)
 at weblogic.rjvm.ConnectionManager.findOrCreateConnection(ConnectionManager.java:1424)
 at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:443)
 at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:322)
 at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:254)
 at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:197)
 at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:238)
 at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:200)
 at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:170)
 at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:153)
 at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:96)
 at weblogic.security.auth.Authenticate.authenticate(Authenticate.java:80)
 at weblogic.security.auth.login.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:184)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:684)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at Thor.API.Security.LoginHandler.weblogicLoginHandler.login(weblogicLoginHandler.java:62)
 at oracle.iam.platform.OIMClient.login(OIMClient.java:134)
 at oracle.iam.platform.OIMClient.login(OIMClient.java:114)
 at com.thortech.xl.client.base.tcAppWindow.internalLogin(tcAppWindow.java:585)
 at com.thortech.xl.client.base.tcAppWindow.login(tcAppWindow.java:504)
 at com.thortech.xl.client.base.tcAppWindow.<init>(tcAppWindow.java:118)
 at com.thortech.xl.client.base.tcAppWindow.main(tcAppWindow.java:174)

Solution:

 The cryptoj.jar file is missing in the $WLS_HOME/lib directory. Please refer the article id 1422084.1 in the oracle support to resolve the above issue.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)