So this week I've been doing some more stuff with cloud control 13c and came across a small issue when trying to use it with ie11.
With firefox everything was working fine but with ie i would just get a kind of generic error message that really told me nothing about what was actually wrong.
To confuse things we were running the browser with the remote app PaaS service from Oracle - for those of you not familiar with it (which was me until recently) - it's basically a Citrix like offering from Microsoft - we use it in Azure but i think it is also available in your own datacentre with the right components installed (i still refuse to call it "on premise" but the way for some reason that term really grates on me).
Anyway we'd published ie11 as a remote app (along with loads of other stuff) - but it just refused to work with cloud control - initially we thought it may be some sort of routing/proxy/firewall problem as the error was so generic but when we actually went and checked the http error log (which with hindsight maybe we should have done first) we saw this error
[2016-07-19T10:18:16.4270+02:00] [OHS] [ERROR:32] [OHS-2171] [http_core.c] [host_id: azurecc] [host_addr: x.x.x.x] [pid: 18260] [tid: 140289984399104] [user: oracle] [VirtualHost: xxxxxx:0] NZ Library Error: SSL negotiation error [Hint: too restrictive SSLCipherSuite]
And there we have it a nice error message and it even gives us a hint like this is some kind of treasure hunt or something......
So a bit of googling and some trial and error later i finally find the solution which is to add this additional cipher to those already listed in 2 apache ssl config files - not sure why there are two and even if both need to be changed - but anyway this worked - so the files are (installation location dependant of course)
/oracle/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs1/ssl.conf
and
/oracle/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs1/ssl.conf
The line to alter is this one onto which i append the value AES256-SHA
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,AES256-SHA
A restart of apache then picks up this change and everything starts working - we still get warnings as it's a self signed certificate from an untrusted root - but the ssl comms are working.
So it seems that ohs/apache has to be dumbed down a little to talk ssl with ie11?
Nice Blog.Thanks for sharing the valuable information.
ReplyDeleteDevOps Training
DevOps Online Training