Import Certificates of External Web Services with HTTPS in Oracle SOA Cloud Service

Perform the following steps to import the certificate chain. These steps prevent a SSLHandshakeExceptions error from occurring while invoking an HTTPS service.

Export the Certificate Chain of the HTTPS WSDL Called in Oracle SOA Cloud Service

  1. Open the HTTPS URL that is called from the Oracle SOA/Oracle Service Bus composite in the Firefox browser.
  2. Click the padlock icon to the left of the URL.
  3. Under Secure Connection, select More Information.
  4. Go to the Security tab and click View Certificates.
  5. In Certificate Viewer dialog, click the Details tab and select each certificate.
  6. Click Export.

    Once the certificates are exported, you can use secure copy (SCP) to copy them onto the virtual machines where the Oracle SOA/Oracle Service Bus servers are running.

Import the Certificate Chain of the HTTPS WSDL Called in the Oracle SOA Cloud Service Trust Store

  1. Check the setDomainEnv.sh file to see if you have a DemoTrust.jks entry in EXTRA_JAVA_PROPERTIES present under DOMAIN_HOME.
  2. If a DemoTrust.jks entry exists, use the keytool command to import the certificates in the JKS-based trust store:
    keytool -import -alias rootcrt1 -keystore
    /u01/app/oracle/middleware/wlserver/server/lib/DemoTrust.jks -file RootcertFile.crt -
    storepass DemoTrustKeyStorePassPhrase
    keytool -import -alias intercrt2 -keystore
    /u01/app/oracle/middleware/wlserver/server/lib/DemoTrust.jks -file InterMedCertFile.crt -
    storepass DemoTrustKeyStorePassPhrase
    keytool -import -alias cert3 -keystore
    /u01/app/oracle/middleware/wlserver/server/lib/DemoTrust.jks -file cert3file.crt -storepass
    DemoTrustKeyStorePassPhrase
  3. If a DemoTrust.jks entry does not exist, use Oracle Enterprise Manager Fusion Middleware Control to import certificates in the KSS-based trust store:
    1. Go to the Keystore > Weblogic Domain drop down list, and select Security > Keystore.
    2. In the navigation tree, click trust.
    3. Click the Manage button.
    4. Click the Import button.
    5. In the Import Certificate dialog, select Trusted Certificate from the Certificate Type list.
    6. Provide the root certificate you previously exported from the WSDL URL.
    7. Repeat the same steps for other certificates in the WSDL URL chain.

    Synchronizing the keystores copies the certificates from the central repository to the local domain file. Perform the following commands:

    1. Start WLST:
      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh
    2. Enter the administrator password and public IP address (the IP address used to access Oracle Enterprise Manager Fusion Middleware Control/Oracle WebLogic Server Console).
      connect('username', 'password', 'admin-server-host:admin-server-port')

      For example:

      connect('weblogic', 'welcome', 't3s://public IP:7002')
    3. Run the following commands:
      svc = getOpssService(name='KeyStoreService')
      syncKeyStores(appStripe='system', keystoreFormat='KSS')

Import the Certificate Chain of the HTTPS WSDL Called in the Java Trust Store

  • Add the certificate chain into the cacerts location. Sample keytool commands for importing certificates into the cacerts location are as follows:
    keytool -import -alias rootcrt1 -keystore /u01/jdk/jre/lib/security/cacerts -storepass changeit -file
    RootcertFile.crt
    keytool -import -alias intercrt2 -keystore /u01/jdk/jre/lib/security/cacerts -storepass changeit -file
    InterMedCertFile.crt
    keytool -import -alias cert3 -keystore /u01/jdk/jre/lib/security/cacerts -storepass changeit -file
    cert3file.crt

Restart the Administration and Managed Servers

Restart the Administration and Managed Servers once the certificates are imported. This is required for both JKS- and KSS-based certificates. See Stop or Start an Oracle SOA Cloud Service Instance and Individual VMs.

Troubleshoot Issues

Issue:

The following error occurs when invoking external Web Services:

Caused By: javax.xml.ws.WebServiceException: Could not determine wsdl ports.
WSDLException: faultCode=PARSER_ERROR:  Failed to read wsdl file at: 
https://abc.xxx.com/...Service?WSDL%22, caused by: 
java.security.NoSuchAlgorithmException: Error constructing implementation

Workaround:

  1. Back up $DOMAIN_HOME/bin/setDomainEnv.sh.
  2. Edit $DOMAIN_HOME/bin/setDomainEnv.sh and remove the following entries:
    -Djavax.net.ssl.trustStore=kss://system/xxx
    -Djavax.net.ssl.trustStoreType=kss
    

    Before:

    EXTRA_JAVA_PROPERTIES="-Djavax.net.ssl.trustStore=kss://system/xxx
    -Djavax.net.ssl.trustStoreType=kss ${EXTRA_JAVA_PROPERTIES}
    -Dsoa.archives.dir=${SOA_ORACLE_HOME}/soa
    ...

    After:

    EXTRA_JAVA_PROPERTIES=" ${EXTRA_JAVA_PROPERTIES}
    -Dsoa.archives.dir=${SOA_ORACLE_HOME}/soa
    ...