Disclaimer:

All content provided in these articles is for informational purposes only.

Amitego gives no support or warranty for the accuracy or completeness of any information in these articles or found by following any link on this site.

Theme: OSGD     Audience: Administrators, System Integrators    Requirements: OSGD 5.1, OSGD 5.2

 

General

Oracle Secure Global Desktop solution with and without OSGD Gateway has https communication. This is based on certificates. It is important either for the Browser and tcc communication that this certificate is valid.

If certificates are not valid, different symptoms can be seen.

This article explains such kind of symptoms and how to test certificates.

 

Symptom

After entering login credentials the login screen hangs indefinetly

 

 

Reason

The certificate chain might be broken or incomplete.

 

 

Solution 1: Site is reachable from the internet

Check the URL with e.g. https://www.ssllabs.com/ssltest/analyze.html

If the certificate chain is broken restore it. The login should work now without issues

 

 

Solution 2: Site is not reachable from the Internet

Do following steps to check your certificates:

Not reachable from 'outside'

To check the certificate chain from command line enter:
openssl s_client -connect <target>:443 -showcerts

 

A possible output can be:

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 5446196ADB2BCCCD876DB7419F907CAA094282DF2607D6416470E82554224596
    Session-ID-ctx:
    Master-Key: BB5EAC2903DE11F51DF0ACB6CF16841A3BFB2C346BDA33A2AFF347D7955A50B8E13032BD4397D62A22844811D778D8E1
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413880170
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
Important output here: verify return code 0 (ok).
This means that there are no issues with the certificates.
Otherwise correct the certificates and the login should work. 

If the output is verify return code 0 (ok) but the issue still remains,
it might be the certificate chain order creating problems:

 

A wrong certificate order looks like:

Certificate chain
 0 s:/C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=amitego Engineering GmbH/CN=portal.visulox.com/emailAddress=<mail>@tbsol.de
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority

 

A good certificate order looks like:

Certificate chain
 0 s:/C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=amitego Engineering GmbH/CN=portal.visulox.com/emailAddress=<mail>@tbsol.de
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority

Correct your certificate chain order and the login should work.

 

Note that some Java versions are more sensible to the certificate chain order. Some Java versions like e.g. Java 1.6 only check if the certificates are valid. The chain order is neglected.

Copyright © VISULOX