Results 1 to 9 of 9

Thread: Very Unusual Security Issues

  1. #1
    Senior Member peterbruce's Avatar
    Join Date
    Jan 2004
    Location
    NSW Australia
    Posts
    2,086

    Unhappy Very Unusual Security Issues

    JDEList,

    We have an unusual problem. The security kernels stop writing to the logs on our enterprise server. Additionally the P98OWSEC doesn’t seem to work properly. We have LDAP enabled, so form W98OWSECI (security detail revisions) requires you to tick a box to allow change changes to a specific detail. However, when attempting to re-enable a user id I found that the tick boxes were disabled, but the detail entry fields were editable – just like it is without LDAP enabled. I changed the status from ‘02’ to ‘01’ and click OK, but the user detail was not updated. I did the same thing on both the web client and the fat admin/dev client, with the same results. I had the debug log on the fat client and it showed that the LDAP_isLDAPAuthenticationEnabled business function returned a ‘0’ instead of a ‘1’ – meaning that LDAP wasn’t enabled, but it is enabled!

    This is a recent behaviour going back about 6 weeks or so to mid-February 2017. About this time we had a firewall upgrade. I don’t know how a firewall upgrade would stop the security kernels from writing to the logs.

    We have two installations that are completely separate. One for production and the other for testing and development. The problems are occurring in both environment.

    Our installation configuration is: E9.1 TR9.1.2.1, Enterprise Server: Sun; Database Server: Sun; Oracle DB: 11g, Weblogic; Create!form 7

    Any help would be gratefully accepted.
    Thanks, Peter

    "Give a person a fish, feed them for a day, teach them how to fish, feed them for a lifetime."

    E9.1 TR9.1.2.1, Enterprise Server: Sun, Database Server: Sun, Oracle DB: 11g, Weblogic.
    Create!form 7

  2. #2
    Senior Member Alex_Pastuhov's Avatar
    Join Date
    Jul 2001
    Location
    Australia
    Posts
    1,713
    Generally speaking, AD/LDAP are generally somewhat unreliable, so the client software would often need to wait and sometimes retry. I think I remember some old posts here saying the JDE security kernels can sometimes get locked up as a result. And if that is what you are seeing, then it would probably explain why it stops writing to the logs and it could conceivably misreport its status as a result too. I guess if you reboot the security server, it would probably start working again.

    And there are multiple different ports it can communicate over, plus potentially multiple DC's, so firewalls can cause comms issues. Is there anything in the logs?
    Regards,
    Alexander Pastuhov
    http://www.everestsoftint.com/

  3. #3
    Senior Member peterbruce's Avatar
    Join Date
    Jan 2004
    Location
    NSW Australia
    Posts
    2,086
    Alex,

    I appreciate your response.

    I'm not sure about the Enterprise Server OS logs and the Firewall logs, but there is virtually nothing in the JDE logs. The only reference was from a JDE Net process saying it did not get a response from the security kernel.

    As far as I can see the issue doesn't involve the LDAP connection (at least directly), depending on exactly how the LDAP_isLDAPAuthenticationEnabled business function operates.
    Thanks, Peter

    "Give a person a fish, feed them for a day, teach them how to fish, feed them for a lifetime."

    E9.1 TR9.1.2.1, Enterprise Server: Sun, Database Server: Sun, Oracle DB: 11g, Weblogic.
    Create!form 7

  4. #4
    HI Peter , have you tried putting the security kernel in debug mode when this issue happens and see what's being written ? The security kernel has this limitation that if it looses connection to the LDAP server even for a split second then it will remain looping on that error of not being able to connect to LDAP , even though the LDAP server may be up and running fine. The only way to recover from this situation is to kill the affected security kernel (or restart services ) , this what I had to do at one of my customer sites where JDE would loose connectivity to LDAP server often.

    Since the issue is happening on both of your JDE instances I think the LDAP server is definitely involved , assuming they are both pointing to the same LDAP server. Is the LDAP server virtual ? If it is part of a vmware vMotion setup check that it wasn't being moved around when the issue was observed?
    EnterpriseOne Xe to 9.2
    Windows/ Unix / AS400
    Oracle , SQL Server, DB2
    WAS , WLS
    AppWorx, Tidal , SmartScheduler

  5. #5
    Senior Member peterbruce's Avatar
    Join Date
    Jan 2004
    Location
    NSW Australia
    Posts
    2,086
    Ice,

    Thanks for a very interesting reply!

    I was not aware that security kernels can be put into debug mode. Is this a JDE function? Or is it an operating system function? How do you do it? All our JDE servers are unix/sun/zones (sun's virtual machine) with the exception of the Deployment server of course. I wasn't certain of the involvement of the LDAP server (unix/sun) in our issues. Users can still log on and off without issue. Though there may be an occasional problem with users becoming disabled in JDE before the maximum password attempts is reached.

    The same LDAP server and firewall are involved in both the Production and test/Development installations.
    Thanks, Peter

    "Give a person a fish, feed them for a day, teach them how to fish, feed them for a lifetime."

    E9.1 TR9.1.2.1, Enterprise Server: Sun, Database Server: Sun, Oracle DB: 11g, Weblogic.
    Create!form 7

  6. #6
    HI Peter,

    Putting the kernel in debug is a JDE function and can be done using Server Manager (Or using SAW back in the old days) . Under the Runtime Metrics of your Enterprise Server in Server Manager click on process detail and go into a Kernel , you will see the option to turn on debug on the kernel.

    Check out this Server Manager guide for tools 9.1 available online. I have linked the section that talks about this

    https://docs.oracle.com/cd/E24902_01..._configuration
    EnterpriseOne Xe to 9.2
    Windows/ Unix / AS400
    Oracle , SQL Server, DB2
    WAS , WLS
    AppWorx, Tidal , SmartScheduler

  7. #7
    Senior Member peterbruce's Avatar
    Join Date
    Jan 2004
    Location
    NSW Australia
    Posts
    2,086
    Ice,

    Thanks very much for the information on the kernel via server manager. I'll look at that tomorrow.
    Thanks, Peter

    "Give a person a fish, feed them for a day, teach them how to fish, feed them for a lifetime."

    E9.1 TR9.1.2.1, Enterprise Server: Sun, Database Server: Sun, Oracle DB: 11g, Weblogic.
    Create!form 7

  8. #8
    New Member
    Join Date
    Dec 2016
    Location
    ROURKELA
    Posts
    19
    Hi Pete,

    Is the issue still there? Please let us know your findings.
    Regards,
    Gopal

  9. #9
    Senior Member peterbruce's Avatar
    Join Date
    Jan 2004
    Location
    NSW Australia
    Posts
    2,086
    Gopal,

    I raised an SR with Oracle Support, who were very helpful. They eventually provided a POC which I have installed in our test/development instance. It has been a couple of weeks now, but so far it looks good.
    Thanks, Peter

    "Give a person a fish, feed them for a day, teach them how to fish, feed them for a lifetime."

    E9.1 TR9.1.2.1, Enterprise Server: Sun, Database Server: Sun, Oracle DB: 11g, Weblogic.
    Create!form 7

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
The legal restrictions and terms of use applicable to this site are available here.
Use of this site signifies your agreement to the terms of use.
JDELIST is NOT affiliated with JD Edwards® & Company, Oracle or Peoplesoft. Contents of this site are neither endorsed nor approved by JD Edwards® & Company, Oracle or Peoplesoft.