22.11.14

OracleVM 3.3.1 and External Authentication

Some of the customers (including my company Ratioware) has defined OracleVM Manager to use external authentication (like LDAP or Active Directory) to be used to authenticate the users when logging into OracleVM Manager console.

This used to work well with OracleVM 3.2.x.

When we upgraded OracleVM 3.2.8 to OracleVM 3.3.1 we noticed that all those custom authentication settings were lost. Well, that is “kind” of acceptable assuming Oracle perhaps doesn’t like us to tweak the underlying WebLogic.

After changing the authentication provider back to utilize our external authentication provider I noticed that I wasn’t any more able to login to OracleVM console. I was able to login to WebLogic Console but not into OracleVM Manager console. I got “Unexpected error during login”.

Error messages in the weblogic log files stated:

<2014-11-11T20:19:25.066+0200> <Error> <com.oracle.ovm.appfw.coreinterface.ConnectionManager> <BEA-000000> <AppFw session 1: Failed to connect to Web Service API.
com.oracle.ovm.mgr.ws.model.WsException: AUTH_000002:Connection to manager failed: AUTH_000002:Connection to manager failed: Certificate authentication failed: certificate unrecognized (CN=admin, OU=Oracle VM Manager, O=Oracle Corporation, C=US).
Tue Nov 11 20:19:25 EET 2014 (AUTH_000002)

Changing the order of authentication providers or the requried –attributes didn’t help in the issue.

There is Oracle Doc ID 1942473.1 related to this with solution suggestion:

Steps to fix this:

  1. cd /u01/app/oracle/ovm-manager-3/bin/
  2. ./configure_client_cert_login.sh

The configure_client_cert_login.sh will ask you the username and the password for the OVM manager. In my case I did have “admin” user but for some reason the password was not upgraded correctly and I needed to reset the “admin” user password in OVM WLS console before I could execute this script correctly.

You could potentially also use “weblogic” user to run the script.

After running this client certification script the OracleVM Manager login started working correctly and we were able to use our external authenticator with our OracleVM Manager console.

4 comments:

tyger said...

Thank you!
I had run into problems during an upgrade and had to do a restore. This error was driving me crazy!

sigtom said...

Do you have any docs or info on how to setup OVM Manager to use External Authentication? I would like to set it up to use AD, but havent found any info on how to do so explicitly for OVMM; I have found info on WebLogic 12c, which is the version of WL in OVMM.


Thanks!

Harri Kaukovuo said...

Basically OVMM setup with AD does not differ from normal Weblogic setup with Ad authentication.

swathikrishna said...

That did not help my issue to fix.

raise Exception('%s %s' % (response.reason, content))
Exception: Unauthorized {"message":"AUTH_000002:Connection to manager failed: AUTH_000005:Invalid login credentials.","errorCode":"AUTH_000002","cause":"Caused by: com.oracle.ovm.mgr.ws.model.WsException: AUTH_000005:Invalid login credentials.\n","wsErrorCode":"AUTH_CONNECTION_TO_MANAGER_FAILED"}
0004fb000006000062a693d15c6612b3 {SSLVNC} 6904', {}), ('{DOMAIN} 0004fb000006000062a693d15c6612b3 {SSLTTY} 10009', {})]