APEX users reported that LDAP authentication failed ("Invalid Login Credentials") after we applied the latest October 2021 CPU (33192694 OJVM Patch and 33192793 Database Patch) to the Oracle databases.
On these newly patched servers, ldapbind worked fine for the non-SSL connection but returned "SSL handshake failed" when connecting to LDAP via SSL using Oracle wallet.
$ ldapbind -D "uid=ldapuser,ou=myGroup,o=MyCompany,c=US" -w ldap_password -h ldap.company.com -p 389
bind successful
$ ldapbind -D "uid=ldapuser,ou=myGroup,o=MyCompany,c=US" -w ldap_password -h ldap.company.com -p 636 -W "file:/mydir/wallet" -P wallet_password -U 2
SSL handshake failedSince the same wallet file works fine on the servers patched with July 2021 CPU, initially I did not suspect that Oracle wallet is the culprit until one of my colleagues found the following "Important Note" in Oracle Doc 2212921.1.
Important Note: Situations have been reported where LDAP calls using SSL would not work for any obvious reason. In a number of those cases recreating the DB Wallet resolved the issue.
So we created a new wallet with only three root and intermediate CAs (retrieved from LDAP certificate chain) and configured the APEX instance to use the new wallet. LDAP authentication worked!
$ openssl s_client -connect ldap.company.com:636 -showcerts
CONNECTED(00000003)
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
verify return:1
depth=0 C = US, ST = My State, L = My City, O = My Company, OU = IT, CN = ldap.company.comFurthermore, old wallet had two CAs named "USERTrust RSA Certification Authority" (one in good standing and the other expired). Also, the "USERTrust RSA Certification Authority" and "InCommon RSA Server CA" in the old wallet were different from the ones retrieved from LDAP certificate chain.
*** CAs in the old wallet file ***
Subject Name: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
Issuer Name: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
Serial Number: 1fd6d30fca3ca51a81bbc640e35032d
Expiration Date: January 18, 2038
Certificate SHA1 Fingerprint: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
Subject Name: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
Issuer Name: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Serial Number: 13ea28705bf4eced0c36630980614336
Expiration Date: May 30, 2020
Certificate SHA1 Fingerprint: EA:B0:40:68:9A:0D:80:5B:5D:6F:D6:54:FC:16:8C:FF:00:B7:8B:E3
Subject Name: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US
Issuer Name: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
Serial Number: 25b55d4599b45d74e6dcc92100548172
Expiration Date: September 18, 2024
Certificate SHA1 Fingerprint: F4:F2:6A:16:D4:B9:13:CF:32:08:E6:64:E3:DD:38:4E:56:CE:77:AF*** New CAs retrieved from ldap.company.com:636 certificate chain***
Subject Name: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
Issuer Name: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
Serial Number: 3972443af922b751d7d36c10dd313595
Expiration Date: December 31, 2028
Certificate SHA1 Fingerprint: D8:9E:3B:D4:3D:5D:90:9B:47:A1:89:77:AA:9D:5C:E3:6C:EE:18:4C
Subject Name: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US
Issuer Name: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
Serial Number: 4720d0fa85461a7e17a1640291846374
Expiration Date: October 5, 2024
Certificate SHA1 Fingerprint: F5:FB:01:DE:A6:E5:9C:A6:DD:05:70:54:F4:A3:FF:72:DD:E1:D5:C6After we updated the old wallet file by removing the expired CAs and replacing "USERTrust RSA Certification Authority" and "InCommon RSA Server CA" with the CAs retrieved from LDAP certificate chain, LDAP authentication was also successful using the updated wallet file.