This post is also available in: Português
After installing the latest release of Oracle Unified Directory (11.1.2.2.0), all databases that tried to connect in the directory service started to receive the following error:
SQL> conn T3204325 Enter password: ERROR: ORA-28030: Server encountered problems accessing LDAP directory service
Checking on the OUD log file, the error was:
[30/Mar/2015:10:50:46 -0300] CONNECT conn=19 from=10.192.38.28:34059 to=10.221.63.49:1636 protocol=LDAPS [30/Mar/2015:10:50:46 -0300] DISCONNECT conn=19 reason="I/O Error" msg="Client requested protocol SSLv3 not enabled or not supported"
After searching a bit, I found out that the any JDK version greater than JDK 7u75 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default to mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack").
So, I tried to disable this protocol in the DB side following the MOS Doc 1938502.1 (CVE-2014-3566 Poodle Vulnerability and SSL_VERSION Parameter Setting). Basically, it says to update any sqlnet.ora and listener.ora configuration files with: "SSL_VERSION=1.0"
Unfortunately, after applying that workaround, the problem persisted.
After researching a lot more, finally I found out that this is a bug (19285025) =[ .. and the solution in to apply patch 19285025, available via the patch portal.
So, I applied that after shutting down the instance:
[oracle@blqa10bddsne001 opatch]$ unzip p19285025_112040_Linux-x86-64.zip Archive: p19285025_112040_Linux-x86-64.zip creating: 19285025/ inflating: 19285025/README.txt creating: 19285025/etc/ creating: 19285025/etc/config/ inflating: 19285025/etc/config/inventory.xml inflating: 19285025/etc/config/deploy.xml inflating: 19285025/etc/config/actions.xml creating: 19285025/etc/xml/ inflating: 19285025/etc/xml/GenericActions.xml inflating: 19285025/etc/xml/ShiphomeDirectoryStructure.xml creating: 19285025/files/ creating: 19285025/files/lib/ creating: 19285025/files/lib/libldapclnt11.a/ inflating: 19285025/files/lib/libldapclnt11.a/gslcss.o [oracle@blqa10bddsne001 opatch]$ cd 19285025/ [oracle@blqa10bddsne001 19285025]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./ Oracle Interim Patch Installer version 11.2.0.3.6 Copyright (c) 2013, Oracle Corporation. All rights reserved. PREREQ session Oracle Home : /u01/app/oracle/product/11.2.4/dbhome_1 Central Inventory : /u01/app/oraInventory from : /u01/app/oracle/product/11.2.4/dbhome_1/oraInst.loc OPatch version : 11.2.0.3.6 OUI version : 11.2.0.4.0 Log file location : /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/opatch2015-03-30_11-07-21AM_1.log Invoking prereq "checkconflictagainstohwithdetail" Prereq "checkConflictAgainstOHWithDetail" passed. OPatch succeeded. [oracle@blqa10bddsne001 19285025]$ opatch apply Oracle Interim Patch Installer version 11.2.0.3.6 Copyright (c) 2013, Oracle Corporation. All rights reserved. Oracle Home : /u01/app/oracle/product/11.2.4/dbhome_1 Central Inventory : /u01/app/oraInventory from : /u01/app/oracle/product/11.2.4/dbhome_1/oraInst.loc OPatch version : 11.2.0.3.6 OUI version : 11.2.0.4.0 Log file location : /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/19285025_Mar_30_2015_11_09_55/apply2015-03-30_11-09-55AM_1.log Applying interim patch '19285025' to OH '/u01/app/oracle/product/11.2.4/dbhome_1' Verifying environment and performing prerequisite checks... All checks passed. Provide your email address to be informed of security issues, install and initiate Oracle Configuration Manager. Easier for you if you use your My Oracle Support Email address/User Name. Visit http://www.oracle.com/support/policies.html for details. Email address/User Name: You have not provided an email address for notification of security issues. Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]: y Please shutdown Oracle instances running out of this ORACLE_HOME on the local system. (Oracle Home = '/u01/app/oracle/product/11.2.4/dbhome_1') Is the local system ready for patching? [y|n] y User Responded with: Y Backing up files... Patching component oracle.ldap.rsf, 11.2.0.4.0... Patching component oracle.rdbms, 11.2.0.4.0... Patching component oracle.rdbms.rsf, 11.2.0.4.0... Verifying the update... Patch 19285025 successfully applied Log file location: /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/19285025_Mar_30_2015_11_09_55/apply2015-03-30_11-09-55AM_1.log OPatch succeeded. [oracle@blqa10bddsne001 19285025]$
Starting my database again, the problem finally disappeared =D. No more problems with the SSLv3 vulnerability!
For more information, you can check the MOS Doc 1986819.1 (EUS - ORA-28030: Server Encountered Problems Accessing OUD).
Have you enjoyed? Please leave a comment or give a 👍!