Monday, March 22, 2010

SSO server (with WNA) fails to start with Kerberos errors

When you see this on the log:

10/03/22 12:06:22 Acquire TGT using AS Exchange
10/03/22 12:06:22 KerberosAuthenticator: GSSException raised in constructor - No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
10/03/22 12:06:22 GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
10/03/22 12:06:22 at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
[snip!]
10/03/22 12:06:22 ... 22 more
10/03/22 12:06:22 KerberosAuthenticator: Please check the error messages and fix it. Restart OC4J (OC4J_SECURITY instance) server
10/03/22 12:06:22 KerberosAuthenticator: Possible errors may be:
10/03/22 12:06:22 KerberosAuthenticator: 1.HTTP service name in $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml or $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml is wrong.
10/03/22 12:06:22 KerberosAuthenticator: 2.KDC Details (host/port) in $ORACLE_HOME/opmn/conf/opmn.xml are wrong.
10/03/22 12:06:22 KerberosAuthenticator: 3.KDC is down.
10/03/22 12:06:22 KerberosAuthenticator: 4.KDC Details in the keytab file are wrong or the keytab file path has been incorrectly specified.


then try adding the following to $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml, under the section <login-module>

<class>com.sun.security.auth.module.Krb5LoginModule</class>

<option>
<name>isInitiator</name>
<value>false</value>
</option>

Then, restart the OC4J_SECURITY process.

Inspite of


everything noted in the note, it works with:

Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2.07-050121-15:53)
Java HotSpot(TM) Server VM (build 1.4.2 1.4.2.07-050121-21:06-IA64N IA64, mixed mode)
running on:
HP-UX [myhost] B.11.23 U ia64 4294967040 unlimited-user license

Friday, March 12, 2010

Grid Control & OID: a deadly combo

If you ever experience these symptoms, ask your self whether you have Grid Control (or OEM) running.
  • Single Sign On fails
  • OID Processes suddenly have stopped (which explains the above)
  • ODS database account is locked, which seems to cause the problem
  • Unlocking the ODS account resolves the problem, but it gets locked after a short period.
The cause is the fact you changed the ODS password. Now, you may have done this quite correctly by using the oidpasswd utility, ensuring the wallet gets updated, etc, but that does not update targets.xml... This means, Grid Control (or OEM) periodically tries to log on with the wrong password.

One solution is to update the ldap section of $ORACLE_HOME/sysman/emd/targets.xml, and update the password in plain text (and signal it is no longer encrypted by means of: ENCRYPTED="FALSE").
Then, restart Grid Control (or OEM)

More in Doc ID 567256.1