OID ManagedServer is not getting up after OAM SSL renewal

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OID ManagedServer is not getting up after OAM SSL renewal

kiranjoshy
Hi Team,

We recently renewed our SSL certificate in OAM. The new cert was imported into the keystore.jks file, and we bounced OAM afterward. The SSL appears valid on the frontend, but end users are unable to log in and are getting a "User Authentication Failed" error.
We bounced OAM and OID again to troubleshoot. During this, we noticed the OID Managed Server is not coming back up. We're seeing the following error:

<Info> <Security> <BEA-090909> Using the configured custom SSL Hostname Verifier implementation:
weblogic.security.utils.SSLWLSHostnameVerifier

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

Error: Cannot connect to Node Manager — sun.security.validator.ValidatorException:
PKIX path validation failed: validity check failed

Summary of what we've done so far:

Imported new SSL cert into keystore.jks
Bounced OAM (twice)
Bounced OID

Current status: OID Managed Server is not starting. Node Manager connection is failing due to SSL/certificate path validation errors.
Could someone please assist in resolving this.

Thanks,
Kiran
Reply | Threaded
Open this post in threaded view
|

Re: OID ManagedServer is not getting up after OAM SSL renewal

ErmanArslansOracleBlog
Administrator
*Verify Keystore Configuration: Confirm Custom Trust settings (ensure the correct trust stores are used)

*Import CA Chains: Add Root/Intermediate certs (It is not enough to just import the identity certificate..)

*Checmk the node manager config, and if necessary update and sync Node Manager in the context of SSL renewal.


Reply | Threaded
Open this post in threaded view
|

Re: OID ManagedServer is not getting up after OAM SSL renewal

kiranjoshy
Thanks for the update.

I received a new certificate from the network team (issued against a CSR I provided) and imported it into keystore.jks. Since the existing root and intermediate CA certificates were not expired, I did not re-import them.
I then restarted only OAM. After this, user authentication started failing.
I subsequently restarted both OID and OAM, but the issue persisted.
Reply | Threaded
Open this post in threaded view
|

Re: OID ManagedServer is not getting up after OAM SSL renewal

kiranjoshy
Issue Summary:
 
Following  SSL certificate renewal on the OAM server (new certificate imported into keystore.jks based on a CSR provided to the Berkley),the OAM managed server was restarted to apply the updated certificate.
After this restart, users were unable to log in via SSO, with authentication failing during the login process.
 
Root Cause:
 
While investigating, we found that the OID Monitor process (oidmon) on host  was not running. Since OAM relies on OID for LDAP-based user authentication,
the unavailable oidmon process (and consequently the oidldapd LDAP server processes) caused authentication requests to fail, even though the new certificate itself was imported correctly.
 
Fix Applied:
 
1. Verified oidldapd process status - confirmed it was not running.
2. Started oidmon manually: oidmon connect=OIDDB start
3. Confirmed oidmon and oidldapd processes came up successfully via oidctl status check (oid1 instance, port 3070).
4. Restarted OAM and OID managed servers
5. Validated SSO login - authentication is now working as expected.



but Previous, when we are bouncing OAM and OID, this process will get automatically up. Could you please help me to identity the reason behind this.
Reply | Threaded
Open this post in threaded view
|

Re: OID ManagedServer is not getting up after OAM SSL renewal

ErmanArslansOracleBlog
Administrator
Okay, but this doesn't explain the data.. I mean you had -> "PKIX path validation failed: ,java.security.cert.CertPathValidatorException: validity check failed", so  that's unrelated with the problematic OID processes actually..