I have created a Weblogic 12c Domain with a Managed Server on which i have installed SOA Suite 12.2. To be able to invoke REST services over SSL in my composites i have create a truststore with a valid certificate chain to connect to the REST server over SSL.
I have created a Custom Identity and Custom Trust for the SOA Managed server using a Custom Identity Store in /u01/data/keystores/identitykeystore.jks and truststore in /u01/data/keystores/truststore.jks.
When invoking the composite using the REST service i get a remotefault
<bpelFault><faultType>0</faultType><remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="summary"><summary>oracle.fabric.common.FabricInvocationException: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</summary></part><part name="code"><code>null</code></part><part name="detail"><detail>unable to find valid certification path to requested target</detail></part></remoteFault></bpelFault></fault><faultType>
<message>0</message></faultType></messages>
In de server.out a java exception is found shortly after invoking the service reporting that a valid certification path cannot be found
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The received certificate chain is as expected, a root CA, intermediate and server certificate. (also extracted from the server.out)
The cause seems to be that weblogic is not using the configured custom truststore but the default Java truststore. (yes, nodemanager, admin and managed server have been restarted) This explains why the certification path is not valid, but have currently not a clue how to resolve this.
<Jun 23, 2016 10:15:27 PM CEST> <Info> <Management> <BEA-141107> <Version: WebLogic Server 12.2.1.0.0 Tue Oct 6 10:05:47 PDT 2015 1721936>
trustStore is: /usr/java/jdk1.8.0_92/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
Any suggestion, hint or solution is welcome!
-- Update 1 --
Found the following in the document "Fusion Middleware Securing Oracle WebLogic Server"
How WebLogic Server Locates Trust
WebLogic Server uses the following algorithm when it loads its trusted CA certificates:
- If the keystore is specified by the -Dweblogic.security.SSL.trustedCAkeystore command-line argument, load the trusted CA certificates from that keystore.
- Else if the keystore is specified in the configuration file (config.xml), load trusted CA certificates from the specified keystore. If the server is configured with DemoTrust, trusted CA certificates will be loaded from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores.
- Else if the trusted CA file is specified in the configuration file (config.xml), load trusted CA certificates from that file (this is only for compatibility with 6.x SSL configurations).
- Else load trusted CA certificates from WL_HOME\server\lib\cacerts keystore.
The argument -Dweblogic.security.SSL.trustedCAkeystore is not used and therefore should load the trusted CA certificates from the custom truststore.
-- update 2 --
For the outbound web service bindings, Oracle SOA Suite uses JRF HttpClient and, therefore, the Sun JDK libraries for SSL. Therefore the -Djavax.net.ssl.trustStore=your_truststore_location has to be added to the JAVA_OPTIONS in the startweblogic.sh
After adding the truststore property to the JAVA_PROPERIES the following is logged in the server.out file..
soa_server1.out:/u01/data/domains/soa12c/bin/setDomainEnv.sh: line 384: -Djava.net.ssl.trustStore=/u01/data/keystores/truststore.jks: No such file or directory
File exist, domain user has file access to the jks file.
