Set Up Oracle SOA Cloud Service to Use CA-Verified SSL Certificates (non-OTD)
This section provides the steps for replacing the identity and trust of Oracle SOA Cloud Service with custom identity and custom trust and registering the Oracle SOA Cloud Service server with digital certificates procured from public certificate authorities such as digicert or any other third party authority.
As a prerequisite, register the Oracle SOA Cloud
Service domain with the public DNS for CA verification. In this documentation, the public
IP of the Oracle SOA Cloud
Service domain is registered with mydomain.com
and the CA signed certificates are taken from mydomain
.
The Enterprise Manager (EM) Console needs to be accessible using the public domain name.
Note:
The steps here are for an Oracle SOA Cloud Service instance not using Oracle Traffic Director (OTD). If you are using OTD, see Set Up Oracle SOA Cloud Service to Use CA-Verified SSL Certificates (with OTD).Register a Domain Name for Oracle SOA Cloud Service
Create Custom Identity and Custom Trust Keystores and Generate a CSR
Share the CSR with CA to get CA-Signed Certificates
To share the CSR with CA to get CA-signed certificates:
Import CA Certificates
Certificate Authority (CA) certificates must be imported in the following order: first the signed server certificate, then the intermediate certificate, and then the root certificate.
To import CA certificates:
Synchronize the Local Keystore with the Security Store
Synchronize keystores to synchronize information between the domain home and the Oracle Platform Security Services (OPSS) store in the database.
To synchronize keystores:Update WebLogic Keystores with Custom Identity and Trust
Update the Node Manager and boot.properties File
boot.properties
file:
The JAVA_OPTIONS
for a 12.2.1.2 environment is
as follows:
JAVA_OPTIONS="${JAVA_OPTIONS}
-Doracle.security.jps.config=/u01/data/domains/TPLSOADE_domain/config/fmwconfig/jps-config-jse.xml
-Dcommon.components.home=/u01/app/oracle/middleware/oracle_common -Dopss.version=12.2.1.2
-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.egd=file:/dev/./urandom"
Verify the Environment
When you restart the environment, the Aministration Server and Managed Server user interface shows the certificates as trusted:
To verify the environment:
-
Deploy a HelloWorld composite and verify that the client endpoint URL can be opened on https host and port.
The valid certificate chain is present on the client endpoint URL: -
To invoke the client end point from any other composite, import all the certificates (signed server, intermediate, and root) present in the WSDL into the truststore of the server from where the parent composite is deployed.