Thursday Oct 09, 2014

'The signing operation has failed' - common error with Password Based Signatures in Workflow Notifications

Introduction

Oracle Workflow Notifications can be digitally signed in two ways.

  1. Password Based Signature
  2. X.509 Certificate Based Signature.

Following are the authentication mechanisms categorized based on whether or not a user subscribes to Single Sign-On (SSO).

 

  1. Pure E-Business Suite User (Otherwise called FND User)
  2. Pure SSO user
  3. Hybrid Mechanism (Both E-Business Suite and SSO)

Issues and Reasons

Time and again we have encountered a problem with Password Based signatures failing with the error: 'The signing operation has failed'. This happens when the notification is signed using SSO credentials i.e., the logged in user is an SSO user. The profile option APPS_SSO_LOCAL_LOGIN, controls the type of authentication mechanism to be used for a user at the time of user-creation. More information about SSO can be found here

The possible values of this profile option are:

  • LOCAL - Login is only allowed via Oracle E-Business Suite local login.
  • SSO - Login is only allowed through Single Sign-On. The password is set to ‘EXTERNAL’ after a single sign-on account and an application account are linked.
  • BOTH - Login can be through both Single Sign-On and Oracle E-Business Suite. (Please note this is only a separate authentication mechanism but not a different class of users created for it)

Now based on the type of login/authentication mechanism, the signing differs.

 

  • For a FND User, the validation utility validates the credentials by fetching password from FND_USER table from ENCRYPTED_USER_PASSWORD column.
  • For a pure SSO user, the ENCRYPTED_USER_PASSWORD column is set to 'EXTERNAL' in FND_USER table and the Validation utility fetches the password from OID to validate it.
  • For a user using both types of authentication mechanisms, the Validation utility validates it as it does in the case of a FND User i.e., comparing the ENCRYPTED_USER_PASSWORD from FND_USER table. This implies that when the user uses authentication mechanism for both FND User and SSO user then the password for FND User is used for validation.

Also, it is to be noted that the password for SSO user is case sensitive and the password for FND user depends upon a profile option SIGNON_PASSWORD_CASE. In short:

 

  • An SSO user password is case-sensitive.
  • An FND User password is by default case insensitive. It depends upon the value of profile option 'SIGNON_PASSWORD_CASE' to have it case sensitive or case insensitive.
  • For a user which uses both authentication mechanisms, the password for FND user is used for signing. It would be good if these passwords are maintained in sync.
Hence, when one encounters the error mentioned here, the starting point to investigate is to see what type of user it is. Mostly it would be user using authentication mechanism for both FND User and SSO User. In that case the FND User password should be used and not the SSO password. Also the case of the password should be heeded to as that can well be the cause of the issue. 

 

 

Tuesday Apr 17, 2012

SMTP Authentication Feature in R12.1.3

Overview

Oracle E-Business Suite Workflow Notification Mailer leverages the functionality of SMTP and IMAP services to send and receive notification and alert emails respectively. Until E-Business Suite Release 12.1.3, Workflow Notification Mailer supports authentication for only IMAP server connections. Starting Release 12.1.3, Workflow Notification Mailer supports authentication for SMTP servers.

Main reasons to support authentication for SMTP servers are,

  1. An attacker could hijack the SMTP connection either pretending the server does not support the Authentication extension or causing all AUTH commands to fail.
  2. A SMTP server accessible over public domain could be misused by spammers to hide their identify and send spam e-mails.

How to configure

  • Go to Workflow Manager Screen and navigate to Workflow Notification Mailer page.
  • Edit the Workflow Mailer configuration, update "SMTP user" and "SMTP Password" parameters, SAVE and bounce the Workflow Service Container.

Authentication Mechanisms

    Workflow Mailer supports PLAIN, LOGIN and CRAM-MD5 mechanisms with JavaMail version 1.4.

How to check

On a non-SSL enabled SMTP server, it can be checked easily: 

$ - telnet smtp.host.com 25
Trying 10.11.12.13...
Connected to smtp.host.com (10.11.12.13).
Escape character is '^]'.
220 smtp.host.com ESMTP Sendmail 8.13.8/8.13.8; Tue, 17 Apr 2012 10:11:36 -0400
EHLO smtp.host.com
250-smtp.host.com Hello my.desktop.com [12.13.14.15], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP

About

This blog is dedicated to bring latest information on Oracle Workflow new features, best practices, troubleshooting techniques and important fixes directly from it's Development Team.

Search

Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today