Import Certificates of External Web Services with HTTPS in Oracle SOA Cloud Service
Perform the following steps to import the certificate chain. These steps
prevent a SSLHandshakeExceptions
error from occurring while invoking an
HTTPS service.
- Export the Certificate Chain of the HTTPS WSDL Called in Oracle SOA Cloud Service
- Import the Certificate Chain of the HTTPS WSDL Called in the Oracle SOA Cloud Service Trust Store
- Import the Certificate Chain of the HTTPS WSDL Called in the Java Trust Store
- Restart the Administration and Managed Servers
- Troubleshoot Issues
Export the Certificate Chain of the HTTPS WSDL Called in Oracle SOA Cloud Service
- Open the HTTPS URL that is called from the Oracle SOA/Oracle Service Bus composite in the Firefox browser.
- Click the padlock icon to the left of the URL.
- Under Secure Connection, select More Information.
- Go to the Security tab and click View Certificates.
- In Certificate Viewer dialog, click the Details tab and select each certificate.
- Click Export.
Once the certificates are exported, you can use secure copy (SCP) to copy them onto the virtual machines where the Oracle SOA/Oracle Service Bus servers are running.
Import the Certificate Chain of the HTTPS WSDL Called in the Oracle SOA Cloud Service Trust Store
Note:
In a multinode cluster, the certificate chain must be imported to the keystores on all nodes of the cluster.- Check the
setDomainEnv.sh
file to see if you have aDemoTrust.jks
entry inEXTRA_JAVA_PROPERTIES
present underDOMAIN_HOME
. - If a
DemoTrust.jks
entry exists, use thekeytool
command to import the certificates in the JKS-based trust store:keytool -import -alias rootcrt1 -keystore /u01/app/oracle/middleware/wlserver/server/lib/DemoTrust.jks -file RootcertFile.crt - storepass DemoTrustKeyStorePassPhrase
keytool -import -alias intercrt2 -keystore /u01/app/oracle/middleware/wlserver/server/lib/DemoTrust.jks -file InterMedCertFile.crt - storepass DemoTrustKeyStorePassPhrase
keytool -import -alias cert3 -keystore /u01/app/oracle/middleware/wlserver/server/lib/DemoTrust.jks -file cert3file.crt -storepass DemoTrustKeyStorePassPhrase
- If a
DemoTrust.jks
entry does not exist, use Oracle Enterprise Manager Fusion Middleware Control to import certificates in the KSS-based trust store:- Go to the Keystore > Weblogic Domain drop down list, and select Security > Keystore.
- In the navigation tree, click trust.
- Click the Manage button.
- Click the Import button.
- In the Import Certificate dialog, select Trusted Certificate from the Certificate Type list.
- Provide the root certificate you previously exported from the WSDL URL.
- Repeat the same steps for other certificates in the WSDL URL chain.
Synchronizing the keystores copies the certificates from the central repository to the local domain file. Perform the following commands:
- Start WLST:
/u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh
- Enter the administrator password and public IP address (the
IP address used to access Oracle Enterprise Manager Fusion Middleware
Control/Oracle WebLogic Server Console).
connect('username', 'password', 'admin-server-host:admin-server-port')
For example:
connect('weblogic', 'welcome', 't3s://public IP:7002')
- Run the following
commands:
svc = getOpssService(name='KeyStoreService') syncKeyStores(appStripe='system', keystoreFormat='KSS')
Import the Certificate Chain of the HTTPS WSDL Called in the Java Trust Store
Note:
In a multinode cluster, the certificate chain must be imported into thecacerts
location on all nodes of the cluster.
- Add the certificate chain into the
cacerts
location. Sample keytool commands for importing certificates into thecacerts
location are as follows:keytool -import -alias rootcrt1 -keystore /u01/jdk/jre/lib/security/cacerts -storepass changeit -file RootcertFile.crt
keytool -import -alias intercrt2 -keystore /u01/jdk/jre/lib/security/cacerts -storepass changeit -file InterMedCertFile.crt
keytool -import -alias cert3 -keystore /u01/jdk/jre/lib/security/cacerts -storepass changeit -file cert3file.crt
Restart the Administration and Managed Servers
Restart the Administration and Managed Servers once the certificates are imported. This is required for both JKS- and KSS-based certificates. See Stop or Start an Oracle SOA Cloud Service Instance and Individual VMs.
Troubleshoot Issues
Issue:
The following error occurs when invoking external Web Services:
Caused By: javax.xml.ws.WebServiceException: Could not determine wsdl ports.
WSDLException: faultCode=PARSER_ERROR: Failed to read wsdl file at:
https://abc.xxx.com/...Service?WSDL%22, caused by:
java.security.NoSuchAlgorithmException: Error constructing implementation
Workaround:
- Back up
$DOMAIN_HOME/bin/setDomainEnv.sh
. - Edit
$DOMAIN_HOME/bin/setDomainEnv.sh
and remove the following entries:-Djavax.net.ssl.trustStore=kss://system/xxx -Djavax.net.ssl.trustStoreType=kss
Before:
EXTRA_JAVA_PROPERTIES="-Djavax.net.ssl.trustStore=kss://system/xxx -Djavax.net.ssl.trustStoreType=kss ${EXTRA_JAVA_PROPERTIES} -Dsoa.archives.dir=${SOA_ORACLE_HOME}/soa ...
After:
EXTRA_JAVA_PROPERTIES=" ${EXTRA_JAVA_PROPERTIES} -Dsoa.archives.dir=${SOA_ORACLE_HOME}/soa ...