Import Certificates of External Web Services with HTTPS in Oracle SOA Suite

To import the certificate chain, which prevents a SSLHandshakeExceptions error from occurring while invoking an HTTPS service, complete the following steps:

Export the Certificate Chain of the HTTPS WSDL Called in Oracle SOA Suite

To export the certificate chain of the HTTPS WSDL:

  1. Open the HTTPS URL that is called from the Oracle SOA/Oracle Service Bus composite in the Firefox browser.
  2. Click the padlock icon to the left of the URL.
  3. Under Secure Connection, select More Information.
  4. Go to the Security tab and click View Certificates.
  5. In Certificate Viewer dialog, click the Details tab and select each certificate.
  6. Click Export.

    Once the certificates are exported, you can use secure copy (SCP) to copy them onto the virtual machines where the Oracle SOA/Oracle Service Bus servers are running.

Import the Certificate Chain of the HTTPS WSDL Called in the Oracle SOA Suite Trust Store

Note:

In a multinode cluster, the certificate chain must be imported to the keystores on all nodes of the cluster.

To import the certificate chain of the HTTPS WSDL called in the Oracle SOA Suite trust store:

  1. Check the setDomainEnv.sh file to see if you have a DemoTrust.jks entry in EXTRA_JAVA_PROPERTIES present under DOMAIN_HOME.
  2. If a DemoTrust.jks entry exists, use the keytool command to import the certificates in the JKS-based trust store:
    keytool -import -alias rootcrt1 -keystore
/u01/app/oracle/middleware/wlserver/server/lib/DemoTrust.jks -file RootcertFile.crt -
storepass DemoTrustKeyStorePassPhrase
    keytool -import -alias intercrt2 -keystore
/u01/app/oracle/middleware/wlserver/server/lib/DemoTrust.jks -file InterMedCertFile.crt -
storepass DemoTrustKeyStorePassPhrase
    keytool -import -alias cert3 -keystore
/u01/app/oracle/middleware/wlserver/server/lib/DemoTrust.jks -file cert3file.crt -storepass
DemoTrustKeyStorePassPhrase
  3. If a DemoTrust.jks entry does not exist, use Oracle Enterprise Manager Fusion Middleware Control to import certificates in the KSS-based trust store:
    1. Go to the Keystore > Weblogic Domain drop down list, and select Security > Keystore.
    2. In the navigation tree, click trust.
    3. Click the Manage button.
    4. Click the Import button.
    5. In the Import Certificate dialog, select Trusted Certificate from the Certificate Type list.
    6. Provide the root certificate you previously exported from the WSDL URL.
    7. Repeat the same steps for other certificates in the WSDL URL chain.

    Synchronizing the keystores copies the certificates from the central repository to the local domain file. Perform the following commands:

    1. Start WLST: 
      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh
    2. Enter the administrator password and public IP address (the IP address used to access Oracle Enterprise Manager Fusion Middleware Control/Oracle WebLogic Server Console). 
      connect('username', 'password', 'admin-server-host:admin-server-port')

      For example:

      connect('weblogic', 'welcome', 't3s://public IP:7002')
    3. Run the following commands:
      svc = getOpssService(name='KeyStoreService')
syncKeyStores(appStripe='system', keystoreFormat='KSS')

Import the Certificate Chain of the HTTPS WSDL Called in the Java Trust Store

Note:

In a multinode cluster, the certificate chain must be imported into the cacerts location on all nodes of the cluster.

To import the certificate chain of the HTTPS WSDL called in the Java trust store:

  • Add the certificate chain into the cacerts location. Sample keytool commands for importing certificates into the cacerts location are as follows:
    keytool -import -alias rootcrt1 -keystore /u01/jdk/jre/lib/security/cacerts -storepass changeit -file
RootcertFile.crt
    keytool -import -alias intercrt2 -keystore /u01/jdk/jre/lib/security/cacerts -storepass changeit -file
InterMedCertFile.crt
    keytool -import -alias cert3 -keystore /u01/jdk/jre/lib/security/cacerts -storepass changeit -file
cert3file.crt

Restart the Administration and Managed Servers

Restart the Administration Server and Managed Servers once the certificates are imported. This is required for both JKS- and KSS-based certificates. See Stop or Start WebLogic Servers.

Troubleshoot Issues

Issue:

The following error occurs when invoking external Web Services:

Caused By: javax.xml.ws.WebServiceException: Could not determine wsdl ports.
WSDLException: faultCode=PARSER_ERROR:  Failed to read wsdl file at: 
https://abc.xxx.com/...Service?WSDL%22, caused by: 
java.security.NoSuchAlgorithmException: Error constructing implementation

Workaround:

  1. Back up $DOMAIN_HOME/bin/setDomainEnv.sh.
  2. Edit $DOMAIN_HOME/bin/setDomainEnv.sh and remove the following entries:
    -Djavax.net.ssl.trustStore=kss://system/xxx
-Djavax.net.ssl.trustStoreType=kss

    Before:

    EXTRA_JAVA_PROPERTIES="-Djavax.net.ssl.trustStore=kss://system/xxx
-Djavax.net.ssl.trustStoreType=kss ${EXTRA_JAVA_PROPERTIES}
-Dsoa.archives.dir=${SOA_ORACLE_HOME}/soa
...

    After:

    EXTRA_JAVA_PROPERTIES=" ${EXTRA_JAVA_PROPERTIES}
-Dsoa.archives.dir=${SOA_ORACLE_HOME}/soa
...