Monday, September 14, 2015

Oracle VM - SSL server probably obsolete

Users of Oracle Virtual Machine for x86 technology may be encountering a interesting problem.  The issue lies in the management tool OVMM or Oracle Virtual Machine Manager or OVM Manager access.

This affects users of the stand alone Oracle VM for x86, as well as users of the engineered systems Oracle Virtual Compute Appliance (VCA), Oracle Private Cloud Appliance (PCA), Exalogic in virtual configurations, Exadata in virtual configurations, and Oracle Database Appliance (ODA) in a virtual configuration.

When trying to use the latest browsers to navigate to the HTTPS protected version of the OVMM tool you will encounter errors such as:

  • SSL server probably obsolete.  (ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION)
  • Secure Connection Failed (Error code: ssl_error_no_cypher_overlap) 
The issue can occur in Google Chrome, Firefox, and Internet Explorer.  I'm sure Safari won't be far behind.

This is due to changes in how secure socket layer is being communicated and basically de-supporting older versions.  The root of this problem is in the WebLogic layer that is used to host OVMM.
A good place to start is looking for help is at My Oracle Support (MOS) note:
Oracle VM: Connecting to Oracle VM Manager 3.2.x Results in "ssl_error_no_cypher_overlap" Error Message ( Doc ID 1997431.1 )

There may be related issues with older version of Oracle Enterprise Manager 11g, again caused by the configuration of WebLogic.

Initial workarounds include:
  • Using a previous version of the browser (such as Google Chrome prior to version 45, we are having good luck with version 41)
  • Use the non-secure connection to the tool (use HTTP vs. HTTPS), but be aware that passwords and other data will be transmitted over your network un-encrypted.
  • Look for patches / updates from Oracle for your specific tool / product.
I'm sure there will be much more fall out and updates from this.  I'm not a SSL or HTTPS expert, but I think this is affecting or will affect a lot of Oracle customers as we all work through the transition.

If you have other input / suggestions please add comments to the blog.

Gary





Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)