SBL-SEC-10018: An Oracle database error has occurred.

Applies to:

Siebel System Software - Version 7.7 [18026] BETA and later
Information in this document applies to any platform.
Reviewed for Currency 13-NOV-2009
***Checked for relevance on 27-SEP-2012***

Symptoms

When attempting a password change from the Siebel application via the LDAP Security Adapter (LDAPSecAdpt), the user is presented with the following error:
"SBL-SEC-10018: Insufficient access error"
This occurs if the PropagateChange parameter is set to true and in both administration and customer facing screens.
If security adapter logging is set to 5 for the impacted  application object manager (AOM), the following information will be noted:

EventContext EvtCtxApplet 4 0 2008-01-28 15:19:11 Change Password Applet (SWE) (WritePassword)
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 LDAP SecuritySetUserInfo8, Security User=116cef88, username=USER1, Security User Info=116785d0.
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Security Adapter User Set User Info. User name=USER1, User Info=116785d0.
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Security Adapter User ChangePassword() user=USER1
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Bind to LDAP server LDAPServer10 with dn=uid=appuser,ou=people,dc=domain1,dc=intranet.
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: GetLdapHandle
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_init(srvti110, 389) returns c24bf8.
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: GetLdapHandle returns 0
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: BindAsAppUser
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_simple_bind_s(c24bf8, uid=appuser,ou=people,dc=domain1,dc=intranet, *) returns 0
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: BindAsAppUser succeeded,
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: GetUserDn. Username=USER1, Attribute=uid, BaseDN=ou=people,dc=domain1,dc=intranet
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_search_s(c24bf8, ou=people,dc=domain1,dc=intranet, LDAP_SCOPE_BASE, (uid=USER1), ...) returns 0.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_count_entries(c24bf8, c27958) returns 1.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_first_entry(c24bf8, c27958) returns c27958.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_get_dn(c24bf8, c27958) returns uid=USER1,ou=People,dc=domain1,dc=intranet.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_memfree (c27cf8)
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_msgfree (c27958)
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: UpdatePassword
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: SetSunOnePassword
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: SetUserAttr
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_search_ext_s(c24bf8, uid=USER1,ou=People,dc=domain1,dc=intranet, LDAP_SCOPE_BASE, (objectclass=*), ..., c27920) returns 0.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_modify_ext_s(c24bf8, uid=USER1,ou=People,dc=domain1,dc=intranet, d4ed0c0, NULL, NULL) returns 50.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 mods d4ed0c0:
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 mods[0]:
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 type=userPassword
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 op=2
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 values=
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 *
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: GetSunOneUpdatePasswordErr
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: GetSunOneUserPwdPolicy
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: GetUserAttr
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_search_ext_s(c24bf8, uid=USER1,ou=People,dc=domain1,dc=intranet, LDAP_SCOPE_BASE, (objectclass=*), ..., c28570) returns 0.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_first_entry(c24bf8, c28570) returns c28570.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_get_values(c24bf8, c28570, passwordpolicysubentry) returns 0.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_msgfree (c28570)
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: GetUserAttr
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_search_ext_s(c24bf8, cn=Password Policy,cn=config, LDAP_SCOPE_BASE, (objectclass=*), ..., c28770) returns 32.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_msgfree (c28770)
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Ldap Utility: GetUserAttr
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_search_ext_s(c24bf8, cn=config, LDAP_SCOPE_BASE, (objectclass=*), ..., c28770) returns 0.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_first_entry(c24bf8, c28770) returns 0.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_msgfree (c28770)
SecAdptLog API Trace 4 0 2008-01-28 15:19:11 Unbind from LDAP server.
SecAdptLog 3rdpartyTrace 3 0 2008-01-28 15:19:11 ldap_unbind(c24bf8) returns 0.
SecAdptLog Memory Mgmt Trace 5 0 2008-01-28 15:19:11 LDAP SecurityFreeErrMessage8, ErrMessage=11677400.
GenericLog GenericError 1 0 2008-01-28 15:19:11 (secmgr.cpp (3825) err=7010018 sys=0) SBL-SEC-10018: Insufficient access

USER1 is the user whose password you are trying to change.  The "SBL-SEC-10018: Insufficient access"
message is clearly visible at the end of the log segment.

Cause

As the error indicates, the problem is being caused by a user having insufficient access rights in the LDAP directory to change a user's password.  The user in question will generally be the ApplicationUser specified in the LDAPSecAdpt profile, but can be confirmed by scanning up from the error to the first "ldap_simple_bind" statement you encounter.  This is the userID that is binding to the LDAP directory and the one which needs the correct privileges to process the password change.  In our example, it is "uid=appuser,ou=people,dc=domain1,dc=intranet" (the ApplicationUser from the LDAPSecAdpt profile).
Since insufficient access type errors can have multiple causes, it is also helpful to note the specific LDAP return code on the following line:
ldap_modify_ext_s(c24bf8, uid=USER1,ou=People,dc=domain1,dc=intranet, d4ed0c0, NULL, NULL) returns 50.
The "50" is a generic LDAP standard message for insufficient access privileges.

Solution

The solution to this error is to make sure that the bind user specified (generally the ApplicationUser from the LDAPSecAdpt profile) has been granted adequate privileges to the specific container or BaseDN where the user whose password you are changing resides in the LDAP directory.  For specific instructions on how to do this, please consult the documentation for the LDAP directory server software you are using.

Applies to:

Siebel CRM - Version: 7.8.2.10 SIA [19241] to 8.0.0.2 SIA [20412] - Release: V7 to V8
Siebel Call Center - Version: 7.8.2.10 SIA [19241] to 8.0.0.2 [20412]   [Release: V7 to V8]
z*OBSOLETE: Microsoft Windows Server 2003 R2 (32-bit)

Symptoms

Statement of what the issue is
I understand you are having a problem where users accessing the application via the web client can't log in.
Problem was :'The server you are trying to access is either busy or experiencing difficulties. Please close the Web browser, open a new browser window, and try logging in again.[05:25:20] '.
We are not having any issue on web server, gateway server and siebel servers. we bounced all ther servers but despite the application is not coming up.
customer was using LDAP

Changes

No changes made

Cause

cause determination
cause was determined as directory search from BaseDN causing the administratie locks on the userid. which caused the whole production to go down
cause justification
the log file capture ERMAdminObjMgr_enu_14657.log has the folllowing

SecAdptLog Debug 5 0 2008-10-03 11:10:33 LDAP SecurityLogin8 step 1: initialize ldap server connection
SecAdptLog 3rdpartyTrace 3 0 2008-10-03 11:10:33 ldap_init(ldap.cisco.com, 389) returns d24be0
SecAdptLog Debug 5 0 2008-10-03 11:10:33 LDAP SecurityLogin8 step 2: initial bind to ldap server
SecAdptLog 3rdpartyTrace 3 0 2008-10-03 11:10:34 ldap_simple_bind_s(d24be0, uid=HRSiebelLogin,ou=applications,o=cisco.com, *) returns 0
SecAdptLog Debug 5 0 2008-10-03 11:10:34 LDAP SecurityLogin8 step 3: check for single sign on
SecAdptLog Debug 5 0 2008-10-03 11:10:34 LDAP SecurityLogin8 step 4: check for trust token if SSO is on.
SecAdptLog Debug 5 0 2008-10-03 11:10:34 LDAP SecurityLogin8 step 5: set siebeUsername/siebelUserDn
SecAdptLog API Trace 4 0 2008-10-03 11:10:34 Ldap Utility: Get User DN. Username=HRSiebelLogin, Attribute=uid, BaseDN=o=cisco.com
SecAdptLog 3rdpartyTrace 3 0 2008-10-03 11:10:36 ldap_search_s(d24be0, o=cisco.com, LDAP_SCOPE_SUBTREE, (uid=HRSiebelLogin), 244e080, 1) returns 11.
SecAdptLog Memory Mgmt Trace 5 0 2008-10-03 11:10:36 LDAP SecurityFreeErrMessage8, ErrMessage=6e92fc0.
GenericLog GenericError 1 0 2008-10-03 11:10:36 (secmgr.cpp (2357) err=7010018 sys=0) SBL-SEC-10018: Administration limit exceeded
GenericLog GenericError 1 0 2008-10-03 11:10:36 (secmgr.cpp (2429) err=7010001 sys=0) SBL-SEC-10001: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
ObjMgrCTLog Error 1 0 2008-10-03 11:10:36 (ctxtmgr.cpp (3435)) SBL-SVC-00208: Please login first.

Solution

Solution
our suggestion is not to have any restrictions at BaseDN level atleast. anything below, you can have the limits based on your testing and results.

but any specific number or anything related to limitation, has to be done by you . it is beyond the scope of Siebel TS to say anyspecific limit or setup because the hit from userbase is not well known or well defined at one point of time. it will keep changing

Applies to:

Siebel System Software - Version 8.0 [20405] and later
Information in this document applies to any platform.
***Checked for relevance on 27-SEP-2012***

Symptoms

When using the LDAPSecAdpt to authenticate against an Active Directory server with the BaseDN set to the root level, the Siebel application will not come up.  Examination of the Security Adapter logs shows an error pattern similar to the following when trying to search for the UserDN:
SecAdptLog API Trace 4 000000084a7719a0:0 2009-08-03 16:38:07 Ldap Utility: GetUserDn. Username=ANONUSER, Attribute=sAMAccountName, BaseDN=DC=xxxx,DC=xxxx
SecAdptLog 3rdpartyTrace 3 000000084a7719a0:0 2009-08-03 16:38:08 ldap_search_s(1094aa0, DC=thcg,DC=net, LDAP_SCOPE_BASE, (sAMAccountName=ANONUSER), ...) returns 1.
SecAdptLog 3rdpartyTrace 3 000000084a7719a0:0 2009-08-03 16:38:08 ldap_msgfree (10957f8)
SecAdptLog 3rdpartyTrace 3 000000084a7719a0:0 2009-08-03 16:38:08 ldap_unbind(1094aa0) returns 0.
SecAdptLog Memory Mgmt Trace 5 000000084a7719a0:0 2009-08-03 16:38:08 LDAP SecurityFreeErrMessage8, ErrMessage=c822828.
GenericLog GenericError 1 000000084a7719a0:0 2009-08-03 16:38:08 (secmgr.cpp (2486) err=4597538 sys=0) SBL-SEC-10018: Operations error
GenericLog GenericError 1 000000084a7719a0:0 2009-08-03 16:38:08 (secmgr.cpp (2558) err=4597521 sys=0) SBL-SEC-10001: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
ObjMgrSessionLog Error 1 000000084a7719a0:0 2009-08-03 16:38:08 (physmod.cpp (9244)) SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
ObjMgrSessionLog Error 1 000000084a7719a0:0 2009-08-03 16:38:08 (model.cpp (5886)) SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
ObjMgrCTLog Error 1 000000084a7719a0:0 2009-08-03 16:38:08 (ctxtmgr.cpp (4493)) SBL-SVC-00208: Please login first.

Cause

This behavior is being caused by how the LDAPSecAdpt, IBM LDAP Client libraries, and the Windows 2003 based Active Directory are interracting when the BaseDN is set to the root level. The fundamental issue is that Windows 2003 introduced stricter authentication/authorization requirements when attempting to access certain parts of the overall schema and resources.

When you do an LDAP search from the root of the Active Directory, you are searching everything under the root. This includes not only things like Organizational Units, Computers, etc.; but also fundamental configuration and schema entities such as:

DC=Configuration,DC=domain,DC=net
DC=DomainDnsZones,DC=domain,DC=net

It is the fact that the application user does not have adequate access to these types of entities that is causing the behavior.

Solution

This behavior is due to the fact that the LDAPSecAdpt is attempting to search hidden/system containers to which it does not have access. Since you are not using PropagateChange=True to make changes to the AD from the Siebel application and the Active Directory in question has Global Catalog functionality enabled, the best workaround at this time is to point the LDAPSecAdpt to the Global Catalog port of 3268.

1. Login to an employee facing, high interactivity Siebel application (e.g. Sales, Call Center, etc.) as an administrator.

2. Navigate to Site Map > Administration - Server Configuration > Enterprises > Profile Configuration.

3. Make sure the correct Siebel Enterprise is selected in the top applet.

4. In the middle applet query for LDAPSecAdpt (or whatever name you have given your LDAP Security Adapter).

5. In the bottom applet find the Port parameter and change it to 3268.

6. Step off to save the change and logout of the Siebel application.

7. Stop and restart the Siebel Server service(s) and the Siebel Gateway service.

There are limitations when using the Global Catalog with Siebel. In summary, you have to set the PropagateChange parameter on the LDAPSecAdpt to False. This means you will not be able to update anything in the Active Directory (for example passwords) from the Siebel application. For more in-depth information, please see the following on My Oracle Support:

"ADSI Authentication Using Global Catalog Port 3268 (Doc ID 517259.1)"

"With Windows Integrated Authentication based SSO, can we have users from multiple domains? (Doc ID 834759.1)"

If you require PropagateChange = True in your implementation, then the Global Catalog workaround above will not work.  There are several options in this case:

1. If your Siebel application servers are running on a Windows operating system, you could switch to the ADSISecAdpt.
   
   
2. Drop the BaseDN down one level.  It is important that all the Siebel users (including the anonymous user in eapps.cfg) be in or under the BaseDN your specify.
   
   
3. Make the application user specified in the LDAPSecAdpt's ApplicationUser parameter a Domain Administrator within the Active Directory.

Applies to:

Siebel CRM - Version 8.1.1 SIA [21111] and later
Generic Linux
Generic UNIX
Affected Database: Oracle

""Checked for Relevance on 11-09-2012""

Symptoms

start_server script (for staring Siebel Server) or srvrmgr command may fail and the error message in NameSrvr.log file indicates " SBL-SEC-10007: The password you have entered is not correct. Please enter your password again." while the same user/password combination works on SQLPlus.

Cause

In Siebel 8.1.x, Siebel Gateway Server (GtwySrvr) authenticates the user who attempts to connect to GtwySrvr. In standard setting, GtwySrvr performs database authentication against the user. Using Oracle database, $ORACLE_HOME/lib (or $ORACLE_HOME/lib32 when Oracle Database Server is 64 bit) must be part of the shared libraries for GtwySrvr process (siebsvc). If it is not set correctly, starting Siebel Server (start_server script) or launching srvrmgr will fail with following errors..

1) start_server
- On terminal window, it does not show any error but list_server scripts reveals it is stopped in a few seconds.

- SiebSrvr.log under siebsrvr/log directory shows following error.
SBL-SCC-00005: Internal:No more items found.
SBL-SVR-01045: No components are configured.
SBL-SVR-00005: Stale or invalid Task handle
scfEventFac::s_pEvtFacLock is NULL and hence SCF event facility cannot be initialised
SBL-SVR-09149: Could not initialize the event facility.
SCFMessageFacility::s_pSCFMsgFacLock is null and hence the SCFMessageFacility cannot be initialized
ipcFacility GetInstance called before initialization - object is null
SBL-SVR-00029: Internal: Shared memory has not been initialized.

- NameSrvr.log under gtwysrvr/log directory shows following error.
SBL-SEC-10018: 523 80
SBL-SEC-10007: The password you have entered is not correct. Please enter your password again.


2) srvrmgr command
- On terminal windows, error message "Fatal error (2555922): Could not open connection to Siebel Gateway configuration store" is shown.

- srvrmgr.log under siebsrvr/log directory shows following error.
NSS - ErrCode 4597527 SysErr 0
SBL-SCM-00018: Could not open connection to Siebel Gateway configuration store (GATEWAY SERVER HOST:GATEWAY SERVER PORT).
GATEWAY SERVER HOST = Host name for Siebel Gateway Server
GATEWAY SERVER PORT = Port number to connect to Siebel gateway Server

- NameSrvr.log under gtwysrvr/log directory shows following error.
SBL-SEC-10018: 523 80
SBL-SEC-10007: The password you have entered is not correct. Please enter your password again.

** Please note key messages is "SBL-SEC-10018: 523 80" in NameSrvr.log. If this error is NOT recorded, this is really password problem.

Solution

Please make sure to set $ORACLE_HOME/lib in LIBPATH (AIX), SHLIB_PATH (HP-UX), or LD_LIBRARY_PATH (Linux, Solaris) variables before start_ns is run.

Applies to:

Siebel CRM - Version: 8.1.1 [21112] and later   [Release: V8 and later ]
Information in this document applies to any platform.

Symptoms

Customer is unable to see the login screen and the following errors are found in the OM log:
SecAdptLog API Trace 4 000000034d3520f3:0 2011-01-18 15:11:32 DB SecurityLogin with username=SADMIN, parameters=3ae0e00.
SecAdptLog Debug 5 000000034d3520f3:0 2011-01-18 15:11:32 DB security adapter: Load data source configuration
ObjMgrDBConnLog Create 5 000000034d3520f3:0 2011-01-18 15:11:33 DataBase Connection Object was created at 3cdeb90; DB User: 'SADMIN'
ObjMgrLog Error 1 000000034d3520f3:0 2011-01-18 15:11:33 (oracon.cpp (3122)) SBL-DBC-00107: An Oracle database error has occurred.
Please continue or ask your systems administrator to check your application configuration if the problem persists.
SecAdptLog API Trace 4 000000034d3520f3:0 2011-01-18 15:11:33 Security DB user connect to DB CRM with username=SADMIN returns err 65535 and connection 3cdeb90.
SecAdptLog API Trace 4 000000034d3520f3:0 2011-01-18 15:11:33 Security DB user delete DB connectoin 3cdeb90
ObjMgrDBConnLog Delete 5 000000034d3520f3:0 2011-01-18 15:11:33 DataBase Connection was deleted at 3cdeb90
GenericLog GenericError 1 000000034d3520f3:0 2011-01-18 15:11:33 (secmgr.cpp (2676) err=4597538 sys=0) SBL-SEC-10018: An Oracle database error has occurred.
Please continue or ask your systems administrator to check your application configuration if the problem persists.(SBL-DBC-00107)

SecAdptLog Memory Mgmt Trace 5 000000034d3520f3:0 2011-01-18 15:11:33 DB SecurityFreeErrMessage, message=<?INT?>.
GenericLog GenericError 1 000000034d3520f3:0 2011-01-18 15:11:33 (secmgr.cpp (2750) err=4597521 sys=0) SBL-SEC-10001: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
ObjMgrSessionLog Error 1 000000034d3520f3:0 2011-01-18 15:11:33 (physmod.cpp (9330)) SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
ObjMgrSessionLog Error 1 000000034d3520f3:0 2011-01-18 15:11:33 (model.cpp (5890)) SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
ObjMgrSessionLog ObjMgrLogin 3 000000034d3520f3:0 2011-01-18 15:11:33 Login failed for Login name : SADMIN

Cause

During the investigation, the customer confirmed that they are able to connect using sqlplus and odbcsql with the SADMIN credentials. However, the login page does not appear.

Subsequent investigation reveals that customer has installed an Oracle DatavaseInstant Client instead of a full version of the Oracle database client software.

Solution

1. Request customer to download the 'Oracle Database 11g Release 2 Client (11.2.0.1.0) for HP-UX Itanium
hpia64_11gR2_client32.zip (32-bit)' from http://www.oracle.com/technetwork/database/enterprise-edition/downloads/112010-hpisoft-097214.html

2. Install the Oracle client package and set the SHLIB_PATH before restarting the Siebel Services

References

NOTE:476703.1 - What Are the Steps To Troubleshoot the Error Message: The Server You Are Accessing is Either Busy or Experiencing Difficulties...in a Siebel Web Client User Browser?
NOTE:1085793.1 - Servers won't start; gateway throws error: "Fatal error (2555922): Could not open connection to Siebel Gateway configuration store"

Applies to:

Siebel System Software - Version 7.7.2.6 [18372] and later
z*OBSOLETE: Microsoft Windows Server 2003
Product Release: V7 (Professional)
Version: 7.7.2.6 [18372]
Database: Microsoft SQL Server 2000 SP4
Application Server OS: Microsoft Windows 2003 Server SP1
Database Server OS: Microsoft Windows 2003 Server SP1

This document was previously published as Siebel SR 38-3402328041.

Symptoms

Inbound HTTP requests are received to create Activities for Service Requests.  This works as expected in test environments, but fails in production.
The error message received from external application is :-

"The server you are trying to access is either busy or experiencing difficulties. Please close the Web browser, open a new browser window, and try logging in again"

The error in the EAIObjMgr log :-


GenericLog GenericError 1 0 2007-07-16 15:59:57 (secmgr.cpp (2288) err=7010018 sys=0) SBL-SEC-10018: You have entered an invalid set of logon parameters. Please type in your logon parameters again.(SBL-DAT-00446)

GenericLog GenericError 1 0 2007-07-16 15:59:57 (secmgr.cpp (2344) err=7010007 sys=0) SBL-SEC-10007: The password you have entered is not correct. Please enter your password again.

Corresponding error in the SWSE log :-

SisnTcpIp SisnSockError 1 0 2007-07-16 15:59:57 1968: [TCPIP-client] recv() failed for sd=2308 (err=10054 | An existing connection was forcibly closed by the remote host (peer).)

GenericLog GenericError 1 0 2007-07-16 15:59:57 (smconn.cpp (430) err=1801023 sys=0) SBL-NET-01023: Peer disconnected

ObjMgrSessionLog Error 1 0 2007-07-16 15:59:58 Login failed for Login name : pse

ProcessPluginState ProcessPluginStateError 1 0 2007-07-16 15:59:58 1968: [SWSE] Open Session failed (0x5a94) after 0.0602 seconds.

ProcessPluginRequest ProcessPluginRequestError 1 0 2007-07-16 15:59:58 1968: [SWSE] Failed to obtain a session ID. The password you have entered is not correct. Please enter your password again.

ProcessPluginRequest ProcessPluginRequestError 1 0 2007-07-16 15:59:58 1968: [SWSE] Set Error Response (Session: Error: 00023188 Message: The password you have entered is not correct. Please enter your password again.)

Cause

The issue was with the password. There was a $ sign in the password and XML was not reading the password correctly (the $ was being escaped).

Solution

Customer changed the password and the inbound requests worked as expected.

Applies to:

Siebel System Software - Version: 8.1.1.2 and later   [Release: V8 and later ]
Information in this document applies to any platform.

Symptoms

Customer has enabled SSL between a LDAPSecAdpt OM and Active Directory server. However, they encountered the following errors when they perform a password change and the password contains a special character (e.g. @) at the end of the new password:
SecAdptLog 3rdpartyTrace 3 000001bb4d0b3e01:0 2010-12-17 21:46:46 ldap_modify_ext_s(a0836c8, CN=user1,OU=App ID,DC=siebdev,DC=hq, ec4fa88c, NULL, NULL) returns 19.
..
GenericLog GenericError 1 000001bb4d0b3e01:0 2010-12-17 21:46:46 (secmgr.cpp (4635) err=4597538 sys=0) SBL-SEC-10018: Constraint violation
GenericLog GenericError 1 000001bb4d0b3e01:0 2010-12-17 21:46:46 (secmgr.cpp (4699) err=4597530 sys=0) SBL-SEC-10010: The requested password does not conform to our password policy. Please review password requirements and select a new password.

The customer verified that they are able to change the user's password directly in the Active Directory when using the same new password.

Cause

Oracle Technical Support is able to reproduce the same behavior in house when using a LDAPSecAdpt enabled OM. However, if a ADSISecAdpt enabled OM is used, the password change is successful.

After discussion with internal resources, this is determined to be a limitation on the IBM LDAP Client.

Solution

 In this case, the customer is advised to prevent the usage of special characters in their password.

Applies to:

Siebel System Software - Version: 7.7.2.7 SIA [18376] to 8.1.1 [21112] - Release: V7 to V8
Information in this document applies to any platform.

Symptoms

Customer is trying to bind to an Active Directory server using the ADSISecAdpt and is getting the following errors:

SBL-SEC-10018: Unable to bind to the ADSI object 'LDAP://bose.com/DC=bose,DC=com'.(SBL-DAT-00705)


SBL-SEC-10001: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.


SBL-SVC-00208: Please login first.

Review of the ADSI return code shows a return of 8007052e.

Cause

The application user password specified in the ADSISecAdptADSISecAdpt profile is incorrect.

Specific observations made in this case that support this finding were:

1. The return error code 8007052e is an invalid user DN or password error.

2. All other relevant parameters in the ADSISecAdptADSISecAdpt match between a working environment and the non-working environment.

3. The encrypted values of the application user password parameter are different in the two environments.  This can be checked by reviewing the siebns.dat file in a text editor and searching for ADSISecAdptADSISecAdpt and finding the password parameter.

Solution

This behavior can be corrected by fixing the application user password in the ADSISecAdpt profile.  To do this:

1. Login to an employee facing application as SADMIN or another user with administrative responsibilities.

2. Navigate to Site Map > Administration - Server Configuration > Enterprises > Profile Configuration

3. Locate the ADSISecAdpt profile.

4. Locate the Application User Password parameter.

5. Carefully re-enter the password for the application user in plain text (the system will automatically encrypt it).

6. Save the record.

Then close out of all browser windows (to make sure you get a clean object manager task) and retest the behavior. If it still gives the error, you may want to stop and restart the Siebel Server and Gateway services to make sure the new values loaded properly.

Applies to:

Siebel CRM - Version: 8.1.1.4 SIA [21225] and later   [Release: V8 and later ]
Information in this document applies to any platform.

Symptoms

Customer is attempting to implement a web single sign-on (SSO) solution using the standard LDAPSecAdpt in Siebel 8.1.1.4. The SSO system is providing the Siebel login via an HTTP header variable in a supported manner. The process is not successful and the following is showing up in the application object manager log:

SBL-SEC-10018: Trust token mismatch

Customer has verified and re-entered the TrustToken parameter in both the security adapter profile and the appropriate virtual directory entry in the eapps.cfg file. Also the EncryptPassword parameter in eapps.cfg is set to FALSE.

Desired behavior is that the user should successfully authenticate into Siebel via the SSO system.

Cause

Behavior was caused by the presence of multiple ProtectedVirtualDirectory parameter entries in the eapps.cfg file pointed to the same location. As a result the process was going to the wrong location in the eapps.cfg file and pulled back an invalid TrustToken.

Solution

This issue was resolved by making sure that no more than one ProtectedVirtualDirectory parameter in the eapps.cfg and/or eapps_sia.cfg files were pointed to the same virtual directory (for example:  [/sales_enu]).

After making changes to the eapps.cfg or eapps_sia.cfg file, make sure to stop and restart the web services so that the changes are fully implemented.

Applies to:

Siebel CRM - Version: 8.1.1.1 [21211] and later   [Release: V8 and later ]
Information in this document applies to any platform.

Symptoms

Siebel server is not getting started and gateway server is already started. While checing the namesrvr.log found the error below.

1 000000024f061e2c:0 2012-01-06 11:24:26 (secmgr.cpp (2679) err=4597538 sys=0) SBL-SEC-10018: data source connect string or table owner is empty.

GenericLog GenericError 1 000000024f061e2c:0 2012-01-06 11:24:26 (secmgr.cpp (2751) err=4597521 sys=0) SBL-SEC-10001: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact yo

Cause

After further investigation found that, gateway service file got corrupted and below are the entries in svc.gtwyns and here gatewya.cfg file is missing in below line.
siebsvc -s gtwyns -a "/f /siebel/gtwysrvr/sys/siebns.dat /t 2320 "

Solution

Recreate gateway service file again with the below command.
1. Stop Gateway server.
2.siebctl -S gtwyns -a -g "/f /siebel/gtwysrvr/sys/siebns.dat /t 2320 /c /siebel/gtwysrvr/bin/gateway.cfg"
3. Restart the gateway server and siebel server services.

Applies to:

Siebel Public Sector Service - Version 8.1.1.4 SIA [21225] and later
IBM AIX on POWER Systems (64-bit)

Symptoms

Customer Environment:
8.1.1.4 SIA [21225], IBM AIX on POWER Systems (64-bit) 6.1 and DB on DB2

Unable access URL after completing installation
------------------------------------------------------
1. After successful completion of installation and configuration, user not able to access URL
2. Its throwing error "The server you are trying to access is either busy or experiencing difficulties."

"The server you are trying to access is either busy or experiencing difficulties."
SBL-GEN-02500,SBL-SEC-10018

Cause

===Cause Determination ===

1. Incorrect ODBC Datasource name for server configuration, configured server host name under datasource parameter in profile configuration
2. Incorrect LIB path version settings ( 64 bit instead of 32- bit ) where siebel supports only 32-bit library paths


===Cause Justification ===

1. Exact error with caused issue:
SecAdptLog Debug 5 000000104dd600f0:0 2011-05-20 11:31:45 DB security adapter: Could not load or initialize data source ServerDataSrc, err=65535.
SecAdptLog API Trace 4 000000104dd600f0:0 2011-05-20 11:31:45 Security DB user delete DB connectoin 0
GenericLog GenericError 1 000000104dd600f0:0 2011-05-20 11:31:45 (secmgr.cpp (2679) err=4597538 sys=0) SBL-SEC-10018: Can't load sscddcli(SBL-GEN-02500)

2. Defined the same LIB support for Siebel application in a 32 Bit Libraries Are Not Installed With Oracle11g (11.1.0.6) On HP-UX Itanium (Doc ID 471476.1) , but as verified users environment found few other configuration issues which need to be corrected

Solution

1. EDIT LIBPATH and add 32-bit LIB path where database client installed
2. login to apps via dedicated client and change Data source Connect String parameter from server name to real data source under profile configuration which specified in .odbc.ini file  parameter will end with _DSN.
3. Recycle Siebel enterprise
4. Launch application and check for URL status

Applies to:

Siebel System Software - Version 7.7.2 [18325] to 8.0.0.5 [20420] - DO NOT USE [Release V7 to V8]
All Platforms
This document was previously published as Siebel SR 38-1715068851.

Symptoms

Customer was implementing Password Hashing, and after changing parameter DSHashUserPwd in Server Data Source named subsystem to “TRUE” and restarting the Siebel environment, the following components did not start:

PDbXtract/DbXtract
SSEObjMgr_enu
WfProcBatchMgr
WfProcMgr
WfRecvMgr

WfRecvMgr, WfProcMgr, and WfProcBatchMgr had the following error messages:


SBL-SEC-10007: The password you have entered is not correct. Please enter your password again. (0x5a94))
SBL-SEC-10018: You have entered an invalid set of logon parameters. Please type in your logon parameters again.(SBL-DAT-00446)

SBL-SVR-00040: Internal: Informational, encrypted parameter. (0x5a8f))

SBL-OMS-00107: Object manager error: ([2] SBL-SVR-00040: Internal: Informational, encrypted parameter. (0x5a8f))
SBL-OMS-00107: Object manager error: ([1] SBL-SEC-10018: You have entered an invalid set of logon parameters. Please type in your logon parameters again.(SBL-DAT-00446)
ORA-01017: invalid username/password; logon denied

SBL-OMS-00107: Object manager error: ([0] SBL-SEC-10007: The password you have entered is not correct. Please enter your password again. (0x5a94))
SBL-OMS-00102: Error 23188 logging in to the application

SSEObjMgr had the following error messages:

SBL-DAT-00446: You have entered an invalid set of logon parameters. Please type in your logon parameters again.
SBL-SEC-10018: You have entered an invalid set of logon parameters. Please type in your logon parameters again.(SBL-DAT-00446)
ORA-01017: invalid username/password; logon denied


Components PDbXtract (during server startup) and DbXtract (at component task start) had the following error message:

SBL-GEN-04031: Internal: Error occurred during base64 decoding.

Cause

1.  Password parameter for the above components should be set to unhashed password as per Siebel Bookshelf > Security Guide > Security Adapter Authentication > Configuring Password Hashing.

2.  Error message SBL-GEN-04031 in PDbXtract and DbXtract log files occur because the password length is greater than 21 characters. If SADMIN password has more than 21 characters, PDbXtract and DbXtract components will fail with the error message.

The SADMIN password was hashed using the RSA SHA-1 encryption algorithm. When using SADMIN as password in test environment, the hashed password contained 28 characters.  Since "SADMIN" is a fairly simple and short password, we would expect that most good passwords would result in RSA SHA-1 values that are too long.
 .

Solution

1. Set the Password parameter for each component to the unhashed password for the SADMIN user and restart the environment.
2.  The workaround is to change the Hashing algorithm to use Siebel Hash instead of RSA SHA-1. Siebel Hash will encrypt passwords with a length smaller than RSA SHA-1 algorithm.  Please refer to the Security Guide for more information about how to change encryption algorithm.

Applies to:

Siebel Server Manager - Version 8.1.1.2 SIA[21215] and later
Information in this document applies to any platform.

Symptoms

EAI OM, Loyalty Engine Component Failure occur multiple times.

(oracon.cpp (3246)) SBL-DBC-00107: An Oracle database error has occurred.
Please continue or ask your systems administrator to check your application configuration if the problem persists.

(secmgr.cpp (2679) err=4597538 sys=0) SBL-SEC-10018: An Oracle database error has occurred. Please continue or ask your systems administrator to check your application configuration if the problem persists.

(SBL-DBC-00107)ORA-00257: archiver error. Connect internal only, until freed.

Cause

Siebel component shows error:

(SBL-DBC-00107)ORA-00257: archiver error. Connect internal only, until freed.


The error is caused by the fact that the archiver process is unable to archive the current online redolog due to lack of space in the destination for the archivelogs.

Solution

The error is caused by the fact that the archiver process is unable to archive the current online redolog due to lack of space in the destination for the archivelogs.

- Best option is to make more space available in the archive log destination (log_archive_dest_n).

- Increased frequency of log purges.
  Work with your DBA to address the above.

- Restart Siebel servers.

Applies to:

Siebel Remote - Version: 8.0.0.1 SIA [20408] and later   [Release: V8 and later ]
Information in this document applies to any platform.

Symptoms

When they are trying to set up using DBF initialized in other machine, they cannot login. Log files shows the following errors:

"An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.(SBL-DAT-00565)"

SBL-DAT-00522: A Siebel local database error has occurred. Possibly the database name is invalid.

SBL-SEC-10018: A Siebel local database error has occurred. Possibly the database name is invalid.

Please continue or ask your systems administrator to check your application configuration if the problem persists.(SBL-DAT-00522)

Incorrect or missing encryption key

Cause

First of all you have to ensure you have entered the correct encryption key, by running the following query against the server database:

SELECT PREF_CD, VAL, s2.name FROM S_NODE_PREF s1, S_NODE s2 WHERE s1.PREF_CD ='RemLocSec:PlainKey'
AND s1.NODE_ID = s2.ROW_ID AND s2.NAME='<CLIENT NAME>';

Once you get the encryption key, you have to set it in the ODBC properties.

If you still get the "Incorrect or missing encryption key" message after setting the correct encryption key, then the cause is you're missing the MWC_STORAGE.CFG file in the BIN directory.
Documentation "How to Backup Tools/Local databases with Siebel 8 (Doc ID 738286.1)" explains that copying mwc_storage.cfg is a required step to use a database previously initialized.

Solution

Technical Support Response
-------------------------------------

As per our phone conversation, I understand you ran the following query against the server database :

SELECT PREF_CD, VAL, s2.name FROM S_NODE_PREF s1, S_NODE s2 WHERE s1.PREF_CD ='RemLocSec:PlainKey'
AND s1.NODE_ID = s2.ROW_ID AND s2.NAME='';

and it returned the encryption key that you then set in the ODBC properties in the client machine.

Please, after doing that also copy the mwc_storage.cfg file located in the BIN folder in the client where you initialized the DB.

Also ensure the following parameters are set in the Tools configuration file ( *.CFG ):

DSDockEncryptDB=TRUE
DSHashUserPwd=TRUE
DSHashAlgorithm=RSASHA1