Monday, October 16, 2023

EUS: Troubleshooting ORA-01017

Enterprise User Security (EUS) is one of the architectures available for centralizing authentication, authorization, and user/password lifecycle management or Oracle Database users.  One Oracle database error that customers often encounter as they begin evaluating the EUS architecture is the following:

ORA-01017: invalid username/password; logon denied

This error can be especially frustrating because there are a variety of possible causes.

Here are some common causes and corresponding solutions and troubleshooting techniques:
  • The wallet wallet containing the ORACLE.SECURITY.DN and ORACLE.SECURITY.PASSWORD entries does not exist

$ ls -al $ORACLE_BASE/admin/$ORACLE_SID/wallet

  • The wallet containing the ORACLE.SECURITY.DN and ORACLE.SECURITY.PASSWORD exists but is empty or has missing or incorrect values including case sensitive passwords.  To troubleshoot, retrieve the values from the wallet with:

$ $ORACLE_HOME/bin/mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -list -viewEntry ORACLE.SECURITY.DN -viewEntry ORACLE.SECURITY.PASSWORD <<EOF

  • If Oracle database was upgraded from earlier version to 18c or newer, the mappings may need to be re-created. See Doc ID 2611300.1
  • The EUS configuration (e.g. Sample in /<oud_install/oud/config/EUS/modifyRealm.ldif) has not yet been applied or is mis-configured.  See Doc ID 2118421.1
  • The Certificate Authority (CA) certificate chain or OUD self-signed certificate is not loaded into the wallet.  To troubleshoot this issue, confirm the presence of the certificate in the wallet with:

$ORACLE_HOME/bin/orapki wallet display -wallet $ORACLE_BASE/admin/$ORACLE_SID/wallet -pwd YourWalletPassword

  • Database start fails with ORA-01017. In this case grid user's group needs to be a member of the  OSRACDBA group.  See Doc ID 2313555.1
  • Get ORA-01017 with RAC database.  This can be caused by the having inconsistent wallets on each RAC node or by using the same wallet via NFS share on all three nodes but where auto_login only works for the node on which it was set.
  • May have specified the wrong ORACLE_SID environment variable value and the authentication fails because you are attempting to connect to the wrong database.
  • If using tnsnames.ora, the connect string may be pointing to the wrong database for which the user or user/password combination are not valid.

When troubleshooting error ORA-01017 from the database perspective, you will want to enable tracing to determine the reason for the authentication failure.
Step 1: Enable Oracle database tracing by with:

$ $ORACLE_HOME/bin/sqlplus / as sysdba
SQL> alter system set events '28033 trace name context forever, level 9';

Step 2: Perform authentication attempt that fails with ORA-01017     

$ $ORACLE_HOME/bin/sqlplus -S -L <eus_user_id>/YourUsersPassword@$ORACLE_SID
ERROR: ORA-01017: invalid username/password; logon denied

Step 3: Disable Oracle database tracing with:     

$ $ORACLE_HOME/bin/sqlplus / as sysdba
SQL> alter system set events '28033 trace name context off';

Step 4: Lookup the path of the trace files (in case they aren't in default location):

$ $ORACLE_HOME/bin/sqlplus / as sysdba
SQL> sho param dbug;

Step 5: Review trace file looking for KZLD_ERR messages

When troubleshooting error ORA-01017 from the directory service perspective, you will want to review the directory service logs.  In the case of Oracle Unified Directory (OUD), you will want to review the /<oud_instance>/OUD/logs/access or /<oud_instance>/OUD/logs/access.log log file depending on which logger is enabled.  Things to look for include:
  • Authentication attempt by <eus_user_id> fails because user does not exist (err=32)
  • Authentication attempt by <eus_user_id> fails because the wrong password is used (err=49)
  • Connection to the OUD instances fails because of inability to  come to agreement on the LDAPS cryptographic negotiation.  Typically see error "no cipher suites in common". See Doc ID 2397791.1 for OUD 12c and Doc ID 2304757.1 for OUD 11g.  Note that this can happen if you've upgraded the JDK 8 to a version that has deprecated use of anonymous and NULL cipher suites.  In this case, you will need to update the jre/lib/security/ of the JDK implementation used by OUD to remove anon from jdk.tls.disabledAlgorithms.  Here is a sample for jdk1.8.0_361:
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
    secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
    secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
    sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
    sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
    sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
    X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
    X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
    X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \
    brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, NULL, \
    include jdk.disabled.namedCurves

jdk.tls.legacyAlgorithms= \
        K_NULL, C_NULL, M_NULL, \
        DH_anon, ECDH_anon, \
        RC4_128, RC4_40, DES_CBC, DES40_CBC, \

I hope you find this helpful.



No comments: