Configuring outbound SSL for the SOA Suite

Peter Lorenzen
22/12-2012

A customer had a situation where they had to call a remote Web Service from the SOA Suite via https. (One-way TLS/SSL). The developers had deployed the SOA Application so I had to configure the SOA Suite to trust the key used for SSL. For unknown reasons the normal Weblogic keystores are not used in this situation, so it took some poking around to get it working.

You have to configure 3 things:

1. Djavax.net.ssl.trustStore

Djavax.net.ssl.trustStore must point to your truststore in setDomainEnv.sh.

For example:
-Djavax.net.ssl.trustStore=/u01/app/oracle/domains/my_domain/keystores/soa_trust.jks

I don’t know why this is necessary since we also set this in the next step but it does not work if you don’t.

2. Set Keystore location in the SOA Suite

Start the FMW Control EM and navigate to the SOA Suites Managed Server. Right click and select SOA Administration and then Common Properties.

Choose “More SOA Infra Advanced Configuration Properties” at the bottom.

Press the “KeystoreLocation” link.

Input the path to the keystore and press Apply.

3. Set Keystore password in the SOA Suite

Navigate to Weblogic Domain and select your SOA Suite Domain. Right click and select Security and then Credentials.

Press Create Map and input SOA. It must be SOA to work.

Press Create Key and input:

  • Map: SOA
  • Key: KeystorePassword
  • User Name: KeystorePassword
  • Password: Password for the soa_trust.jks keystore.

It must be KeystorePassword for both Key and User Name to work.

Test
When you start the Managed Server the .out log file should look like this:
INFO: SSLSocketFactoryManagerImpl.getKeystoreLocation SOA Keystore location: /u01/app/oracle/domains/my_domain/keystores/soa_trust.jks
INFO: SSLSocketFactoryManagerImpl.getKeystorePassword Obtained valid keystore password
INFO: SSLSocketFactoryManagerImpl.getKeyPassword Obtained null or empty key password

We have only input the password for the keystore not the key so it is OK that it cannot find this.

If you have input something wrong it looks like this:
INFO: SSLSocketFactoryManagerImpl.getKeystoreLocation SOA Keystore location: /u01/app/oracle/domains/my_domain/keystores/soa_trust.jks
INFO: SSLSocketFactoryManagerImpl.getKeystorePassword Obtained null or empty keystore password
INFO: SSLSocketFactoryManagerImpl.getKeyPassword Obtained null or empty key password
INFO: SSLSocketFactoryManagerImpl.getSSLSocketFactory Could not obtain keystore location or password

You can find more information here. This is for Two-way SSL but the steps are the same.

Leave a Comment

Previous post:

Next post: