2.2 Work with SSL
It is not recommended to run OFSLL WebServices with the test certificates in production. You have to get:
1. Vendor public production key/certificates for SSL handshake. These have to be imported into weblogic truststore.
2. RO public production key/certificates to validate digital signature in the RO inputs. This has to be imported into dls_cacerts keystore mentioned in the configuration file.
3. Generate production grade public/private key signed by appropriate CA. The public key has to be shared with RO so that they can validate digital signature in OFSLL requests. The corresponding private key should not be shared, should be imported into dls_cacerts keystore mentioned in the configuration file and used to add the digital signature in RO requests.
Additional Notes
- While testing with the test certificates, you may get error: Signature verification failed because RSA key public exponent [3] is too small.
- As a fix, you need to add the following in the start-up script: ‘Dweblogic.security.SSL.allowSmallRSAExponent=true’
- You may encounter error: java.security.InvalidKeyException: Illegal key size or Cipher not initialize.
- As a fix add the following in the start-up script: ‘Dweblogic.security.SSL.nojce=true’
- You may encounter error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty.
- As a fix remove the ‘-DUseSunHttpHandler=true’ SSL option if any from the startup script.
This topic consists of the following sections: