Oracle Portal - SSL handshake fails NZE-28860
| Topic ID: 1770 | |
| Created By: | 2007-MAR-02 15:39:58 [Vitaliy] |
| Updated By: | 2007-MAR-02 15:42:22 [Vitaliy] |
| Status: | Open |
| Severity: | Normal |
| Read Only: | No |
|
5401
2007-MAR-02 15:39:58
|
||||
|
After enabling SSL in Oracle Portal you see the following errors in the
WebCache event logs and the Custom login Portlet on the home page
is no longer working (not being displayed).
webcache.webcache-> pwd
/u01/app/oracle/product/10gAS/webcache/logs
tail event_log
[02/Mar/2007:01:54:53 -0800] [req-info] [ecid: 170185045552,0] [client: 192.201.137.128] [host: -] [url: -]
[02/Mar/2007:01:54:53 -0800] [warning 11904] [ecid: 170185045552,0] SSL handshake fails NZE-28860
[02/Mar/2007:01:54:53 -0800] [error 11321] [ecid: 170185045552,0] Connection from browser cannot be established.
RESEARCH:
# nslookup 192.201.137.128
Server: dns.domain.com
Address: 192.201.137.139
Name: ifra-db.domain.com
Address: 192.201.137.128
ifra-db.domain.com is the INFRA box
Run snoop from the webcache server grep for the name of the server
who's IP address is shown in the log above:
# snoop | grep ifra-db
Using device /dev/bge0 (promiscuous mode)
ifra-db.domain.com -> ssl-vip.domain.com HTTPS C port=36770
ssl-vip.domain.com -> ifra-db.domain.com HTTPS R port=36770
ifra-db.domain.com -> ssl-vip.domain.com HTTPS C port=36770
ifra-db.domain.com -> ssl-vip.domain.com HTTPS C port=36770
ssl-vip.domain.com -> ifra-db.domain.com HTTPS R port=36770
ssl-vip.domain.com -> ifra-db.domain.com HTTPS R port=36770
ssl-vip.domain.com -> ifra-db.domain.com HTTPS R port=36770
ssl-vip.domain.com -> ifra-db.domain.com HTTPS R port=36770
ssl-vip.domain.com -> ifra-db.domain.com HTTPS R port=36770
ifra-db.domain.com -> ssl-vip.domain.com HTTPS C port=36770
ifra-db.domain.com -> ssl-vip.domain.com HTTPS C port=36770
ifra-db.domain.com -> ssl-vip.domain.com HTTPS C port=36770
ifra-db.domain.com -> ssl-vip.domain.com HTTPS C port=36770
ssl-vip.domain.com -> ifra-db.domain.com HTTPS R port=36770
ssl-vip.domain.com -> ifra-db.domain.com HTTPS R port=36770
ifra-db.domain.com -> ssl-vip.domain.com HTTPS C port=36770
ssl-vip.domain.com -> ifra-db.domain.com HTTPS R port=36770
ifra-db.domain.com -> ssl-vip.domain.com HTTPS C port=36770
ifra-db.domain.com -> ssl-vip.domain.com HTTPS C port=36770
^C#
Notice that all calls are made via HTTPS and there are calls coming from
the INFRA (ifra-db.domain.com) to Portal (ssl-vip.domain.com)
The only way an Infra can call Portal is via UTL_HTTP directly from the database.
To test this theory shutdown INFRA database the home page now displays the
following error in the region of the Custom Login Portlet:
Error: The listener returned the following Message: 503 Service Unavailable
Further research into the code for Custom Login Page shows that it's a plsql
procedure called "LoginFormPortlet" here's the source code:
01 CREATE OR REPLACE PROCEDURE LoginFormPortlet (
02 p_requested_url varchar2 default null,
03 p_cancel_url varchar2 default null,
04 p_page varchar2 default null)
05 IS
06 l_server_name varchar2(200) := owa_util.get_cgi_env('SERVER_NAME');
07 l_server_port varchar2(10) := owa_util.get_cgi_env('SERVER_PORT');
08 l_protocol varchar2(10) := owa_util.get_cgi_env('REQUEST_PROTOCOL');
09 l_base_url VARCHAR2(500);
10 l_requested_url VARCHAR2(500);
11 l_cancel_url VARCHAR2(500);
12 l_site2pstoretoken VARCHAR2(2048);
13 l_userinfo wwsec_person%rowtype;
14 l_sso_url VARCHAR2(500) := custom_app.user_mgt.get_lookup_value('SSO_INFO','URL');
15 --
16 BEGIN
17 IF (NOT portal.wwctx_api.is_logged_on) THEN
18 if ( l_server_port = '80' ) OR (l_server_port = '443') then
19 l_base_url := l_protocol ||'://'|| l_server_name ;
20 else
21 l_base_url := l_protocol ||'://'|| l_server_name ||':'||l_server_port;
22 end if;
23 if(p_cancel_url is null) then
24 l_cancel_url := l_base_url ||'/';
25 else
26 l_cancel_url := p_cancel_url;
27 end if;
28 if (p_requested_url is null) then
29 l_requested_url := l_base_url || '/portal/pls/portal/PORTAL.home';
30 else
31 l_requested_url := p_requested_url;
32 end if;
33 l_site2pstoretoken := portal.get_site2pstoretoken( l_requested_url, l_cancel_url);
34 --
35
36 htp.p( ...
37
38 ELSE ...
Notice line #33 calls GET_SITE2PSTORETOKEN function ... here's the source code:
01 CREATE OR REPLACE function get_site2pstoretoken (
02 p_url_requested in varchar2
03 , p_url_cancel in varchar2
04 )return varchar2
05 is
06 l_site2pstoretoken varchar2(4032);
07 l_server_name varchar2(200) := owa_util.get_cgi_env('SERVER_NAME');
08 l_server_port varchar2(10) := owa_util.get_cgi_env('SERVER_PORT');
09 l_protocol varchar2(10) := lower(owa_util.get_cgi_env('REQUEST_PROTOCOL'));
10 l_url_requested varchar2(2000);
11 l_url_cancel varchar2(2000);
12 l_url varchar2(2000);
13 l_html_body varchar2(4032);
14 -- For debug purposes
15 l_debug boolean := false;
16 begin
17 if l_debug
18 then
19 htp.p('<br>DBG>protocol=' || l_protocol);
20 htp.p('<br>DBG>Servername=' || l_server_name);
21 htp.p('<br>DBG>Serverport=' || l_server_port);
22 htp.p('<br>DBG>UrlReq=' || p_url_requested);
23 htp.p('<br>DBG>UrlCanc=' || p_url_cancel);
24 end if;
25 -- Encode the urls
26 l_url_requested := portal.wwutl_htf.url_encode(p_url_requested);
27 l_url_cancel := portal.wwutl_htf.url_encode(p_url_cancel);
28 -- Assemble the complete url for the utl_http.request function.
29 if ( l_server_port = '80' ) OR (l_server_port = '443')
30 then
31 l_url := l_protocol ||'://'
32 || l_server_name
33 || '/portal/pls/portal/portal.wwptl_login.show_site2pstoretoken?p_url='
34 || l_url_requested
35 || '&p_cancel='
36 || l_url_cancel
37 ;
38 else
39 l_url := l_protocol ||'://'
40 || l_server_name
41 || ':'
42 || l_server_port
43 || '/portal/pls/portal/portal.wwptl_login.show_site2pstoretoken?p_url='
44 || l_url_requested
45 || '&p_cancel='
46 || l_url_cancel
47 ;
48 end if;
49 if l_debug
50 then
51 htp.p('<br>DBG>ENC-UrlReq=' || l_url_requested);
52 htp.p('<br>DBG>ENC-UrlCanc=' || l_url_cancel);
53 htp.p('<br>DBG>Url=' || l_url);
54 end if;
55 l_html_body := utl_http.request(l_url);
56
57 if l_debug
58 then
59 htp.p('<br>DBG>LenBody=' || length(l_html_body) );
60 -- The body can only been seen in the html-source of the page.
61 htp.p('<br>DBG>Body=' || l_html_body );
62 end if;
63 -- Remove the part until the v1. text
64 l_html_body := substr( l_html_body
65 , instr(l_html_body,'v1.')
66 ,length(l_html_body)
67 );
68 -- At the first double-quote the token is completed.
69 l_site2pstoretoken := substr ( l_html_body
70 , 1
71 , instr(l_html_body,'"') - 1
72 );
73 if l_debug
74 then
75 htp.p('<br>DBG>l_site2pstoretoken=' || l_site2pstoretoken);
76 end if;
77 return l_site2pstoretoken;
78 end;
79 /
notice line 55:
l_html_body := utl_http.request(l_url);
This is the problem - programming error! When calling utl_http.request with l_url
over HTTPS you must supply one additional parameter WALLET_PATH which tells Oracle
where to find a Wallet that has Root CA for the server you are connecting to.
SOLUTION:
Change the call to utl_http.request as follows:
l_html_body := utl_http.request(l_url,wallet_path=>'file:/u01/app/oracle/WALLETS');
Substitute /u01/app/oracle/WALLETS for your own directory on the INFRA server
where the wallet is stored:
ifra-db.INFADB-> ls -l /u01/app/oracle/WALLETS
total 64
-rw-r--r-- 1 oracle dba 15905 Mar 1 18:13 cwallet.sso
-rw-r--r-- 1 oracle dba 15877 Mar 1 18:13 ewallet.p12
For More Information on UTL_HTTP refer to:
Metalink Note:230917.1 - Troubleshooting the UTL_HTTP Package
[edited by: Vitaliy at 15:42 (CST) on Mar. 02, 2007]