Registering Database with OID : Directory does not contain the required Oracle Schema or Schema version is not correct

Hi Atul,

I was getting message using netca Directory does not contain the required Oracle Schema or Schema version is not correct. I followed your post and it help me to proceed further. I got ldap.ora file under /opt/oracle/product/11gR2/db/network/admin

Actually I got stuck while configuring Portal, Forms, Reports and Discoverer 11g – Step 11 of 14

Specify Oracle Internet Directory Information
I have given information like
hostname: myhost.mydomain
Port:3131
User Name: cn=orcladmin
Password : ************
Checkbox selected for Configure the LDAP server in secure mode

Here Im getting error INST-07294: Could not retrieve SSO information with the given credential.

I have gone through your another post for covering this issue but I could not succeed. Can you help me to resolve this issue.
Regards
Gulam Dyer

Hi Atul,

I have used document from Novel, below is the link

http://ftp.novell.com/partners/oracle/docs/Oracle_FMW_11gR1_components_Installation_guide.pdf

Version for Form report and Discoverer is 11.1.1.2.0

Version for Identity and Access Management is 11.1.1.7.0

Regards

Hi Atul,

I got the same error message while trying to connect netca to OVD. But I double checked the SSL listener settings, it allows anonymous connection and it has no-auth settings for SSL.

I wonder what else could prevent netca to connect to OVD?

Atul,

I can connect only on plaintext port while the SSL one doesn’t work for me for a strange reason. It doesn’t allow me to connect neither as Anonymous nor as a normal AD user(I do that for AD).

@ Philipp,
What are you connecting to (OID or OVD) ?
and on what port ?

Did you check what is SSL port “opmnctl status -l” ?
Is SSL port to OVD/OID open across firewall (from DB to OID/OVD host) ?

I’m connecting to OVD on SSL enabled port (8501 in my case with SSL no auth option). I checked that port and I can ldapbind -U 1 to that port.

My DB and OVD are on the same machine and firewall is down.

Did you change port ? 8899 is default HTTPS web listener and 7501 is default LDAPS port .

Enable AUTH by setting SSL in OVD and then try again. All LDAPS client (including database) expects server to be in AUTH mode and I suspect connection is failing at SSL handshake stage

@Atul,

Well, I checked the ports, 8899 and 7501 are working. I can connect with user credential to 7501, and it also accepts Anonymous.

Well, I think I confused you b/c my error message is

ConfigException: Could not check for the Oracle Schema: oracle.net.config.ConfigException: TNS-04411: Directory service: permission denied
caused by: oracle.net.config.DirectoryServiceException: TNS-04411: Directory service: permission denied
caused by: oracle.net.ldap.NNFLException

@ Philipp,
Just to understand issue, are you saying everything works when you use LDAP but issue is when you use LDAPS (SSL port) ?

@Atul,

the issue appeared when I tried to run netca. Then I went and check all what could prevent netca to connect to OVD.

So I ran LDAP browser and made sure that:
1) can do anonymous bind to SSL and non-SSL ports
2) can do user login to non-SSL port
3) can’t do user login to SSL port

so now I stuck as I do not understand why I can’t bind to OVD with user credentials in SSL mode 🙁

@ Philipp,
This must be failing at SSL handshake stage.

Who signed certificates to OVD ?
Is CA (that signed certificates) certificate in Database Base (acting as client) trust store.

To see SSL in OVD check http://onlineappsdba.com/index.php/2013/01/27/ssl-configuration-in-ovd-oracle-virtual-directory/

@ Atul,

thank you. I realized that something wrong is with the certificate. I think I didn’t import the certificate into the DB wallet.

@ Atul,

thank you for your help but … I still unable to run netca. I created a wallet for DB and created a self-signed certificate in it, I also imported that certificate into SSL Listener keystore on OVD side. And I also imported a certificate from OVD into DB Wallet.

I checked also that now (after I imported an OVD cert into my windows machine) I also able to login to OVD to SSL port with an AD user credentials).

@ Philipp,
Glad that this is finally working for you. When you say “after I imported an OVD cert into my windows machine” , Is this in Windows Browser or something else ?

Is database runnning on Windows Machine ?

Well, the major thing still doesn’t work! I still can’t connect from netca to OVD to setup EUS.

I imported certificate with the help of MMC as a Computer-level certificate.

@Atul,

I did some more digging into the problem. I’ve managed to figure out that connection fails at handshake stage. I got a log entry from OVD

Error accepting connection from server socket: no cipher suites in common.

So I’m wondering if you have a clue of what that could be? I selected Anonymous cipher in Listener settings and also all the ciphers in SSL settings section, as well as all the SSL versions.

I’d appreciate your help with that!

@ Philipp,
It looks like ciphers that Database is using to connect to OVD are not selected during OVD configuration .

What SSL ciphers selected at OVD layer ?
http://onlineappsdba.com/index.php/2013/01/27/ssl-configuration-in-ovd-oracle-virtual-directory/

Select all and then re-start OVD and try again

@Atul,

I double checked that all ciphers are selected and restarted OVD again. Unfortunately no luck in connection again 🙁

@ Phillpp,
Next we need to check is with what ciper database client is connecting . What is version of Database ?

Installed Top-level Products (1):

Oracle Database 11g 11.2.0.1.0

@ Phillpp,
To see what ciper database is coming with

1. Enable SSL debug in OVD (passing the property -Djavax.net.debug=ssl), and launch the OVD from command line

2. You should see similar to below in OVD logs

listenerThread, setSoTimeout(0) called
pool-1-thread-2, READ: SSL v2, contentType = Handshake, translated length = 53
*** ClientHello, TLSv1
RandomCookie: GMT: 1250324485 bytes = { 126, 254, 83, 0, 100, 149, 119, 202, 22, 224, 139, 136, 46, 164, 156, 50, 196, 158, 255, 250, 172, 178, 30, 148, 191, 206, 84, 27 }
Session ID: {}
Cipher Suites: [SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
pool-1-thread-2, SEND TLSv1 ALERT: fata

3. Update ORACLE_INSTANCE/config/OVD/ovd1/listeners.os_xml with cipher that database client is coming (atleast one of them)

4. Re-start OVD and test again

Check “DEBUGGING SSL CONNECTIVITY BETWEEN BPEL 10.1.3.4 AND OVD 11 (Doc ID 1068042.1)”

This is between BPEL and OVD (in our case this is Database and OVD)

@Atul,

I’m so ashamed that I don’t know how to start OVD from a command line. Could you tell me how to do that, please?

Well, I started it finally and when I tried to connect to it I got:

listenerThread, setSoTimeout(0) called
pool-3-thread-1, received EOFException: error
pool-3-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
pool-3-thread-1, SEND TLSv1 ALERT: fatal, description = handshake_failure
pool-3-thread-1, WRITE: TLSv1 Alert, length = 2
pool-3-thread-1, called closeSocket()
pool-3-thread-1, called close()
pool-3-thread-1, called closeInternal(true)

but while OVD was waiting for a connection I noticed that…

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
matching alias: serverselfsigned
acceptThread, called closeSocket()
Finalizer, called close()
Finalizer, called closeInternal(true)
Finalizer, called close()
Finalizer, called closeInternal(true)
Exception in thread “Thread-5” java.lang.NullPointerException
at oracle.ons.OutputBuffer.putString(OutputBuffer.java:103)
at oracle.ons.PropertyList.write(PropertyList.java:140)
at oracle.ons.Notification.send(Notification.java:472)
at oracle.ons.SenderThread.run(SenderThread.java:148)
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false

Do you think it might be a problem?

BTW no lines which you expected to appear

@ Philipp,

Are you doing client server authentication ?

Check

Bug 16782405 OVD with EUS to support client certificate ssl authentication

Atul,

I found the issue. It was with an ACL to allow read cn=SubschemaSubentry tree. It wasn’t described in Guide but I found that in OTN.

But it seems like my journey isn’t finished yet. I’ll keep you updated.

Thank you for your time!

Atul,

finally it works 🙂 Thank you!

@ Phillipp,
Great so it worked finally after setting ACL for cn=SubSchemaSubentry

Did you make any changes for SSL communication like setting up truststore in Database or any chnage at OVD side ?

@ Atul,

no it doesn’t do anything to SSL. It was all about the ACL.