1. Using Oracle API Platform Cloud Service
  2. Administer Oracle API Platform Cloud Service
  3. Use the SSL Certificate Import Utility
  4. About the Utility

About the Utility

Before you run the utility, there are some things you should know.

The utility retrieves all of the necessary certificates from the server automatically and in the proper format. When you provide the name of the keystore to which you want to import the certificates, be sure to provide the keystore file that belongs to the JDK being used by the Oracle API Platform Cloud Service gateway. Otherwise, the utility may import the certificates successfully, but there is no effect in runtime during API calls.

About Certificate Types

When you use the SSL Certificate Import Utility, you must specify the certificate type you want to import. There are three options:

  • CA — This means CA Certificate chain. Use this option when you want to import the intermediate and root certificates.

  • IM — This means Intermediate. Use this option when you want to import the intermediate certificate only.

  • SS — This means Self-signed. Use this option when you want to import the intermediate, root, and server certificates.

    Note:

    The SS option is common in scenarios in which you are accessing backend services that use load balancers with self-signed certificates. Oracle Traffic Director (OTD) is a load balancer that comes with a self-signed certificate by default. This certificate needs to be imported into the Oracle API Platform Cloud Service gateway to allow the traffic. This includes OTD instances provisioned from the Oracle Cloud, including OTD instances from Java Cloud Service or SOA Cloud Service.

About Certificate Aliases

The utility has an option to specify aliases for each certificate imported. After you specify the certificate type, the utility knows which certificates you are importing, and it will ask you if you want to provide an alias. Answer “y” to the prompt, and it will ask for the test for the alias.

The alias is a plain string but with no spaces and preferably with no special characters. Providing an alias while importing certificates is not a mandatory step but rather a best practice. If you don’t provide one, an machine-generated alias will be created for you. By definition; an alias is just a handle to a key/pair or a certificate, so if you ever need to modify one that has been imported before, you can reference it using a more user-friendly name..

About Network Proxies

The utility must have an outbound internet connection to fetch the certificate(s) from the URL you provide. If you are running the utility from an environment that usually does not provide an outbound internet connection, you won’t be able to run the utility correctly. A common way to overcome this limitation is using network proxies when available.

If you need to use a proxy, you must provide the proxy host and port. The value of the host must be a valid address that points to the network proxy. The utility does not infer if the network proxy is SSL-based or not, so you must provide the appropriate protocol prefix (HTTP or HTTPS) before the address. The port must be a valid, non-negative number. Usually, it is 80 for HTTP-based network proxies or 443 if it is HTTPS. Make sure to provide the correct values for the network proxy host and port, otherwise the utility will fail.