DPS 6.3.1.1 - Issues while connecting through SSL
Hello !!
I have a issue where my application client reported that they are unable to connect to the LDAP using SSL. Where as everything works fine in LDAP (non secured)
This is how our deployment looks.
Clients <=> Load Balancer <=> DPS (2 instance) <=> DS (2 masters)
The DPS is configured with DSP (data source pool) (with proportional algorithm of 50:50 to backend data sources). Client Affinity ("read-write-affinity-after-any") is configured for this DSP. The DSP is attached with 2 data sources.
So when the client connected in a secured port using LDAPS, they are unable to authenticate/search against this environment. No issues were found in DS logs for any of the bind/search requests. But in DPS, we noticed below log which i want to get clarification on.
Note: I have removed the hostnames/Ip where ever applicable from the logs.
=====================================================
[04/May/2011:12:24:39 -0400] - PROFILE - INFO - conn=1255260 assigned to connection handler cn=default connection handler, cn=connection handlers,cn=config
[04/May/2011:12:24:39 -0400] - CONNECT - INFO - conn=1255260 client=x.x.x.x:52461 server=x.x.x.x:636 protocol=LDAPS
[04/May/2011:12:24:39 -0400] - OPERATION - INFO - conn=1255260 op=0 BIND dn="uid=app_id,ou=applications,dc=example,dc=com" method="SIMPLE" version=3
[04/May/2011:12:24:39 -0400] - SERVER_OP - INFO - conn=1255260 op=0 BIND dn="uid=app_id,ou=Applications,dc=example,dc=com" method="SIMPLE" version=3 s_msgid=3 s_conn=ds_Master2:26560
[04/May/2011:12:24:39 -0400] - SERVER_OP - INFO - conn=1255260 op=0 BIND RESPONSE err=0 msg="" s_conn=ds_Master2:26560
[04/May/2011:12:24:39 -0400] - PROFILE - INFO - conn=1255260 assigned to connection handler cn=CH_ENV_catch-all_LDAPS,cn=connection handlers,cn=config
[04/May/2011:12:24:39 -0400] - OPERATION - INFO - conn=1255260 op=0 BIND RESPONSE err=0 msg="" etime=0
[04/May/2011:12:24:39 -0400] - OPERATION - INFO - conn=1255260 op=1 msgid=2 SEARCH base="ou=people,dc=example,dc=com" scope=2 filter="(uid=abcdef)" attrs="*"
[04/May/2011:12:24:39 -0400] - SERVER_OP - INFO - conn=1255260 op=1 SEARCH base="ou=people,dc=example,dc=com" scope=2 filter="(uid=abcdef)" attrs="*" s_msgid=498 s_conn=ds_Master1:26072
[04/May/2011:12:24:39 -0400] - SERVER_OP - INFO - conn=1255260 op=1 SEARCH RESPONSE err=0 msg="" nentries=0 s_conn=ds_Master1:26072
[04/May/2011:12:24:39 -0400] - OPERATION - INFO - conn=1255260 op=1 SEARCH RESPONSE err=0 msg="" nentries=0 etime=0
*[04/May/2011:12:24:39 -0400] - DISCONNECT - INFO - conn=1255260 reason="other" msg="Exception caught while polling client connection LDAPS.x.x.x.x.52461 -- javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?"*
=======================================================
If noticed in the above logs, the initial Bind request via LDAPS is routed to Master 2. But the susequent search request (for user abcdef) is routed to Master 1.
And finally the DISCONNECT operation came (last line) without a proper unbind.
Is this alternate routing a expected behavior when client affinity is turned ON ? Is this exception causing the application's search failures ?
Please shed some pointers on this..
Thanks.
Edited by: Prasee on May 6, 2011 8:07 AM
Pls see inside:
Thanks for the reply. Yes the client is a loadbalancer in this case. So does it mean that this behavior (sending request to 2 different DS in a same connection) is expected ? I have few additional queries that arise from your reply :-)
Loadbalancing algorithm takes precedence "if the request that starts client affinity has not yet occurred"
Since its the load balancer that connects to DPS for any/every request every time., How do the DPS know whether a request that starts client affinity has occurred / not occurred ?Well, client affinity starts with a certain operation (not by establishing the client<->dps connection) as specified by your client affinity policy. In your case ("client-affinity-policy:read-write-affinity-after-any") it starts for all operations after the first read or write operation. DPS is not a (network) connection based router - so it does not route the client connection to the data source but forwards the client operations (request) on dedicated bind,read,write,.. connections to a data source selected by your load balancing and/or client affinity policy.
In our case, Its the same connection (conn=1255260) that receives bind and search request from the client. So when a connection is established, the client affinity should have got enabled and sent the bind request to Master 2 initially, so for the next search request, shouldn't it be sent to Master 2 again ?No, see above.
>
Sorry for these questions, I am basically trying to understand more on how client affinity works when a load balancer is in between.
Coming to the exception,
[04/May/2011:12:24:39 -0400] - DISCONNECT - INFO - conn=1255260 reason="other" msg="Exception caught while polling client connection LDAPS.x.x.x.x.52461 -- javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?"
Does this abrupt shutdown of connection means the search response would have got dropped before reaching the end client (application) ?Yes, that may be possible ...
>
Thanks for your help !!
Similar Messages
-
10.9.2 Update Issue (VPN) - Eclipse Perl debugger issues while connected to VPN
This post was initially added to this discussion: 10.9.2 Mavericks update issues
I have yet another issue related to 10.9.2 update - Eclipse Perl debugger issues while connected to VPN...
One of the big changes introduced by 10.9.2 update - are VPN changes (security fixes). Unfortunately, whatever these changes are - they "broke" Eclipse (OpenSource IDE) debugger. I am not sure if *all* programming languages (Eclipse plugins) are affected by this, but I know for sure that 'Epic' (Perl plugin) debugger *stopped working* while system is connected through VPN.
Here is the error that gets “popped-up” in the Eclipse:
Timed out while waiting for Perl debugger connection
… and here is exact exception stack that gets printed:
Unable to connect to remote host: 130.10.210.74:5000
Compilation failed in require.
at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
main::BEGIN() called at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 0
eval {...} called at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 0
BEGIN failed--compilation aborted.
at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
Can't use an undefined value as a symbol reference at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 7596.
END failed--call queue aborted.
at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
(of course IP address changes dynamically for each VPN connection session)…
I was able to prove that this issue is related to 10.9.2 update:
Issue *does not* exist under 10.9.1 (I had to revert back to 10.9.1 to get it working again)
No updates were performed around the same time 10.9.2 update occurred (I verified that using Software Update log)
No configuration changes were introduced around the same time
Reverting back to 10.9.1 using Time Machine (thanks god I had backup !!!) fixed the issue
Steps to reproduce this issue:
In Eclipse, try to use 'Epic' (Perl plugin) to debug any perl script while *not* connected through VPNEpic debugger works
Connect to VPN
Start Epic debugger to debug same script
Debugger *does not* start, and "Timed out while waiting for Perl debugger connection" error pop-up comes up after some time. At the same time, exception stack (listed above) is printed in Eclipse's console
I am programmer/software developer, I work remotely (telecommute) and thus have to rely on use of VPN to connect to company's intranet. Perl - is primary language used by my team, and we use Eclipse IDE with Epic plugin - heavily. Use of Epic's debugger - is a *very large* aspect of my work, I cannot work without it. So in essense, 10.9.2 has *entirely* disrupted my ability to work! It took me almost a week to get back to normal work environment, and I cannot afford to let it happen again... I need Apple's development team resolve this VPN related issue, as soon as possible! Because of this issue, I am *stuck* with 10.9.1 and can not upgrade my laptop to any other versions. In fact, I had to disable system updates - just so I do not run into this issue again... I contacted Apple's Tech Support on 02/28 with this issue (Ref: 582428110), asking to raise trouble ticket. Since then, I tried to follow-up on that issue, but do not get any information. Please advise on the status:
is there a trouble ticket to track this issue?
is there any progress?
what's the ETA for an update that fixes this problem?
- Val
Message was edited by: vpogrebiAm I the only one experiencing this issue ???
-
MDP to HDMI adapter causing issues while connecting Macbook air late 2013 edition to Projector. Projector shows grains on the display.
Sounds like you may have been in extended display mode. If so, all you had to do was drag a window to the projector display. Or, if you wanted mirrored mode, in display preferences select check mirror display.
-
Issue while connecting from Biztalk adapter to SAP ECC 6.0
Hi Friends
Issue while connecting from Visulal Studio 2005 to SAP ECC 6.0 throgh Biztalk adapter2.0, even if we pass the correct login details, system is throwing an error like incorrect user/password.
Can you please tell anybody the solution for this.
Regards
PraveenHI,
is there a special "formation" to put in the user / pass ?
maybe a missing domain ? or missing values like "/" or "\" ?
Do you getting this error in the Biztalk Monitor (Visual 2005) ? -
Issue while connecting to MS SQL Server 2008
Hi everyone,
I have not seen any thread that gives me a clue to my problem.
I have OBIEE 10.1.3.4.0 on Windows.
I have created an ODBC3.5 Datasource to a SQL Server 2008 and the test connection is successful.
I have also imported the tables from the SQL Server 2008 into the Physical Layer of the OBIEE Administration tool. However after check-in, my problem begins trying to do an Update Row Count with the following Error message:
NQODBCSQL_STATE: HY000nQSError: 10058 A general error has occurred.
nQSError: 43093 An error occured while processingthe EXECUTE PHYSICAL statement.
nQSError: 16023 The ODBC function has returned an error. The database may not be available, or the network may be down.
Any suggestion or pointer will be greatly appreciated.Reading your post Issue in connecting to MS SQL Server 2008 I guess this thread here can be closed.
Cheers,
C. -
SET access issue while connecting to MQ explorer from OSB.
Hi,
Could some one please advice, why OSB is expectign the SET access must be enabled while connecting to the MQ manager, which is not allowed in the non-dev regions.
----- amqzfubx.c : 594 --------------------------------------------------------
09/26/12 11:30:41 - Process(7899.11289) User(mqm) Program(amqzlaa0_nd)
Host(mqhmts2)
AMQ8077: Entity 'mqalsb ' has insufficient authority to access object
XXX.SEU.MEM1.POSTTRADE.REQ'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: set
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
Here our requireemnt is we have 100 members which are posting the messages through OSb to the external partners, for this in OSB we have used Topic/Subscription model, where it uses RFH2 header to get the particular memebr name like MEM1- MEM100. So for thsi we have used MQ protocol to fectch the Topic string value where MEM1 to MEM100 are configured to the topic string.
But we are seeing the above erros when deployed to non-dev regions.
Could you please advice is there any settign we can chaneg in OSB while configuring the MQ details.
IN OSB we have configured the MQ copnnection details as below.
Connection Type mqTcpModeType
MQ Host Name xxx.unix.lch.com
MQ Port Number 1234
MQ Queue Manager Name XXX.ALSB.YYY
Queue Manager CCSID
MQ Queue Manager Channel Name ALSB.CONN
SSL Required false
Reference to the Static Service Account COMMON/Service Accounts/MQ
WebSphere MQ Version v6
MQ Connection Pool Size 100
MQ Connection Timeout 1800
MQ Connection Max Wait 3
Is there any change that needs to be set in to avoid the SET permissions issue.
Thanks.
Edited by: user12679330 on 26-Sep-2012 05:30Sorry for the delay.
siebenv.sh and odbc.ini should be created after the Siebel Server has been configured using the configuration wizard.
Check Doc ID 604303.1 on support.oracle.com regarding the odbc error and let us know if it is helpful.
Thank you,
Wilson -
Getting error ORA-12705, while connecting through Sql*Plus?
Hi TOM,
While connecting ORACLE Database through Sql*Plus / via through Application. We getting error called "Error while trying to retrieve text for error ORA-12705".
How to re-solve this one?
Thanks & Regards,
Senthil K Kumar.Maran,
check the registry NLS_LANG in the registry rename it as suggested by burleson and add a new entryCurrently, it was more suggested by Maxim ;-)
Nicolas. -
Problem while connecting through ldap console
hi ,
we have our directory server 5.2 sp4 on red hat linux 4.
i am able to connect through ldap broswer and ldapsearch is working but when i mtrying to connect through console it is saying as incorrect password or directory problem.i m not able to figure out what can be the problem. any help is appreciated.
Thanks
Message was edited by:
ap7926yes admin server is up and here is the log
- Sun Java(TM) System Directory Server/5.2_Patch_4 B2005.230.0415 (32-bit) starting up
[18/Aug/2007:09:55:11 -0400] - Listening on all interfaces port 389 for LDAP requests
[18/Aug/2007:09:55:11 -0400] - slapd started.
[18/Aug/2007:09:55:11 -0400] - INFO: 100 entries in the directory database.
[18/Aug/2007:09:55:11 -0400] - INFO: add:0, modify:0, modrdn:0, search:0, delete:0, compare:0, bind:0 since startup.
and here is log from access
conn=37 op=-1 msgId=-1 - fd=30 slot=30 LDAP connection from 192.168.1.43 to 192.168.1.4
conn=37 op=-1 msgId=-1 - closing - B1
conn=37 op=-1 msgId=-1 - closed. -
Date Format issue while Connecting to Oracle8i and Oracle10g
Hi All,
While playing around with JDBC drivers, I came across this weird issue. I have a Local machine with Japanese Locale and I have 2 Database Servers that too with Japanese Locales and Oracle 8i and Oracle 10g each. Now, I connect to these database using JDBC drivers for 8i and perform "select sysdate from dual". Then, m getting dates with 2 different format. While 8i being returning Date with 'DD-MON-RRRR' format, 10g returns date with 'DD-MM_RR' format.
Initially I thought it might be because of some VM Locale thing but when I connected to 10g DB from 8i Oracle client, this behaviour did not changed. Which mean in this case also the date format returned ny the query was different.
Guys F1! F1! (Help! Help!) Appreciate your help to understand this process. Links and suggestions welcome... :)I guess u did not read the whole content. I mentioned this but the difference in behaviour with respect to JDBC drivers made me post this in Java forum.
As I mentioned, it has something to do with the jdbc driver or oracle server itself. Agreed, but what that "something little to do" is the maiin question.
I mentioned that I want to understand this process about how JDBC driver works with Client VM specific Locale settings while interacting with Oracle Database.
Don't you think it could be interesting to know, what it is which brings this difference in results. Its all about clarifying the small bits & pieces which stays unanswered if one overlooks. Its own perception, I felt like asking question, no offense right! -
Issue while connecting to managed server through WSLT
Hi All,
we have one Admin Server and 6 managed server.
we are successfully able to connect to Admin server which is running on port 7001 but
when we are trying to connect to any of the managed server at port 8001 we are getting below error:
Traceback (innermost last):
File "<console>", line 1, in ?
File "<iostream>", line 22, in connect
File "<iostream>", line 646, in raiseWLSTException
WLSTException: Error occured while performing connect : Error getting the initial context. There is no server running at t3://<host>:8001
Use dumpStack() to view the full stacktrace
Please let us know how to enable WLST to connect to managed servers.
ThanksThis was a silly mistake from my side.
Actually our server hosts multiple managed server on same machines using VIP.
hence using Alias in WLST connect command solved the issue,
Thanks. -
Issue while connecting BW query using BICS Connection
Hi All,
I have an Issue with Xcelsius while using the BICS connection .when i select the query from the BW System its throwing an Error #2032 . Can some one please help with a Solution.
Regards,
RajHai
Its due to Connectivity Issue
http://www.pieterverstraeten.com/blog/interval-selection-sap-bics-connection-xcelsius-dashboards/
Dashboards with BICS connectivity and Infoview (BO4.0 Information Platform)
http://www.youtube.com/watch?v=1jw8xqkSx6w
http://www.femkekooij.nl/?p=579
I hope it helps.Assign Points if it useful
Thank u
Naveen -
Bluetooth Issues while connected to WIFI
Is anyone else having issues with the clarity of phone calls when on a bluetooth headset, while being connected to WIFI? I have switched my new Note 4 out at verizon. I have switched bluetooth headsets. It only happens when at work and at home. Im always connected to WIFI in those two places. When I turn off my WIFI, i have no issues
It happens on any WIFI when I'm using my bluetooth. I thought maybe I got a bad phone but after swtiching it out at the Store and trying multiple ears (different brands as well). I'm convinced this is the problem. I never had an issue with my Note 3 and I've had the same bluetooth headsets. In the past, I always kept my WIFI on so it connects to trusted networks automatically. I believe it's a Verizon issue because the Samsung Reps at BestBuy inform me of some other issues but not that one. It seems that different carries are having different issues. Can you please make whom ever aware so they look into this issue.
-
Issue while connecting to Oracle BI using BI Office plugin
Hi
I integrated BI Office plugin with OBIEE 11g and while trying to make a connection to it, I am facing the following error:
Test connection failed.
http://localhost:7001/bioffice/services/saw?WSDL
Please, help how to overcome this error.
Thanks.Hi,
Kindly refer this one,
http://123obi.com/2011/05/obiee-11g-oracle-bi-add-in-for-microsoft-office/
Thanks
Deva -
Copy of BW causing issues while connecting to R/3
Hi;
I have done a copy of our Dev BW system (640) and trying to restore the existing source system connections to R/3 (640). I am getting the errors while restoring it; it says source system already connected to A1 (original) logical system and asking me to delete it first so I can restore it on copied one. I wanted have both BW systems connected to same R/3 system. I know this is possible in 700 but any idea if it is atall possible in 640?
If yes, I am not sure which part I am missing. Any idea?
R,
PankajHi,
Since u have created a new system the two BW are different now. For the copied system u have to run the Tcode BDLS and make a fresh connection with the existing system
Regards
Ravish -
Issues while connecting databases-ORA-12545!
hi,
We have new set of environments ,for which we have faced the firewall rule missing isssue and it gets resolved(able to telnet the ip address now).When we tried to connect those oracle databases(version 11.2.0.3),we are getting ORA-12545: Connect failed because target host or object does not exist error,i have added all the entiries in hostfile and tns file as well,but still i am getting the issue.can anyone assist to fix this issueError: ORA-12170 (ORA-12170)
Text: TNS:Connect timeout occurred
Cause: The server shut down because connection establishment with a
client failed to complete within the allotted time interval. This
may be a result of network/system delays; or this may indicate
that a malicious client is trying to cause a Denial of Service
attack on the server.
Action: If the error occurred because of a slow network/system,
reconfigure the SQLNET.INBOUND_CONNECT_TIMEOUT parameter in
sqlnet.ora to a larger value. If a malicious client is suspected,
use the address in sqlnet.log to identify the source and restrict
access. Note that logged addresses may not be reliable as they can
be forged (e.g. in TCP/IP).
/////////////////////////////////////////////////////////////////////////
Maybe you are looking for
-
After IOS8 upgrade IPhone5s syncs with exchange but IPad2 syncs ONLY Mail and Contacts, NOT Calendar. Also, my other tablet - Samsung TabS - has same issue - calendar wont sync. My IPhone and my desktop (windows) synch just fine. Google calendar sync
-
TS3230 safari 6.0.3 does not save preferences in OSX 10.8.3
Every time shut down so do my Safari prefernces. They revert back to default. Have reset Safari to no avail. How can I solve this time consuming bug?
-
RDP protocol i.e. Remote desktop connection is configured to perfrom and manage software administration of ORACLE application and database servers which runs on windows 2003 server. Two sessions are allowed on each of these servers for database ad
-
MIDI regions won't play back in Logic X
Suddenly my MIDI regions won't play back. I can hear the notes when when I play on my MIDI controller and when I mark the MIDI notes in the piano roll, but not when play it back in the arrange window. This worked fine the last time I opened the proje
-
HT201317 Photostream is replicating my photos at random
Photostream is replicating my photos on my iPad only at random, sometimes up to 10 times, it also has edited duplicates, i.e. just a corner of a photo. How do I stop this?