Oracle SOA Suite 12c- PKIX path building failed & unable to find valid certification path to requested target

-


Hi Everyone, in this blog I'll be writing one of the strange issue that has been encountered while working with a Oracle SOA composite running in Oracle IDAM environment and trying to invoke a SSL based remote service where SSL certification based exception has been thrown during the service invocation.

Environment
  • Oracle SOA Suite 12c (HA Mode)
  • Oracle IDAM 12c (HA Mode)
  • Oracle Linux 7
  • External Web Service (SOAP Service)
Problem
Below is the exception thrown when trying to invoke an external webservice (SSL Based) via BPEL process-

<bpelFault><faultType>0</faultType><remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="summary"><summary>oracle.fabric.common.FabricInvocationException: Unable to invoke endpoint URI "https://idam.uppclonline.com/soa-infra/services/default/DefaultOperationalApproval!5.12*soa_69e4734b-d8fe-4edf-b44e-e287f61c2ddf/SMSNotification%23ApprovalProcess/SMSNotification" successfully due to: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
===== reqeust ========
SOAPAction:"processResponse"
Content-Type:text/xml; charset=UTF-8
Content-Length:3354
&lt;env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" 

Cause
Following are the possible cause of this problem-
  1. Certificate binds with provided target service is Invalid and not trusted.
  2. To invoke any web service exposed on HTTPS client must trust the ssl certificate which binds with web service/ web hosting server. In SOA running on Weblogic uses JDK provided trust store to trust any SSL certificate for inbound and outbound connections.
  3. Using DemoTrust.jks in java keystore of Weblogic domain home environment file setDomainEnv.sh in production environment where host machine to remote machine communication is performed.
  4. In this scenario, a SOA service running in Host environment is trying to invoke a SSL based SMS service running on a remote environment i.e. SMS service endpoint has https prefix.
Solution
Referring to my blog  Oracle Weblogic Server Importing SSL Keys , we need to perform following steps to overcome this problem-
    
    1. Import SSL certificates (*.cer only i.e. geotrust.cer) at following locations-
    • JAVA_HOME
      • Location: /usr/java/jdk1.8.0_181-amd64/jre/lib/security/cacerts
      • Command: keytool -import -alias <ALIAS_NAME> -keystore <CACERTS_PATH> -file <*.CER CERTIFICATE_PATH> 
      • Command:  keytool -import -alias geotrust -keystore /usr/java/jdk1.8.0_181-amd64/jre/lib/security/cacerts -file /home/oracle/Desktop/sslKeys/geotrust.cer
    • SOA_DOMAIN_HOME
      • Location: /u01/oracle/products/SOA_DOMAIN_HOME/wlserver/server/lib/cacerts
      • Command: keytool -import -alias <ALIAS_NAME> -keystore <CACERTS_PATH> -file <*.CER CERTIFICATE_PATH> 
      • Example: keytool -import -alias geotrust -keystore /u01/oracle/products/OIG_HOME/wlserver/server/lib/cacerts -file /home/oracle/Desktop/sslKeys/geotrust.cer
Note: Importing the certificates to JAVA_HOME might be optional but has worked in my environment.

    2. Remove Demotrust.jks property from setDomainEnv.sh file as-
        Location: SOA_DOMAIN_HOME/bin/setDomainEnv.sh
        Example: /u01/oracle/products/SOA_DOMAIN_HOME/
        
setDomainEnv.sh
        Now Search for following line 
    EXTRA_JAVA_PROPERTIES="-        Djavax.net.ssl.trustStore=${WL_HOME}/server/lib/DemoTrust.jks ${EXTRA_JAVA_PROPERTIES} -Dsoa.archives.dir=${SOA_ORACLE_HOME}/soa -Dsoa.oracle.home=${SOA_ORACLE_HOME} -Dsoa.instance.home=${DOMAIN_HOME} -Dtangosol.coherence.log=jdk -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Dweblogic.transaction.blocking.commit=true -Dweblogic.transaction.blocking.rollback=true -Doracle.xml.schema/Ignore_Duplicate_Components=true -Doracle.xdkjava.compatibility.version=11.1.1 -Doracle.soa.compatibility.version=11.1.1 -Ddisable-implicit-bean-discovery=true"
export EXTRA_JAVA_PROPERTIES
Delete this section from above property
    -Djavax.net.ssl.trustStore=${WL_HOME}/server/lib/DemoTrust.jks ${EXTRA_JAVA_PROPERTIES}

Revised EXTRA_JAVA_PROPERTIES Line should be-
EXTRA_JAVA_PROPERTIES="-Dsoa.archives.dir=${SOA_ORACLE_HOME}/soa -Dsoa.oracle.home=${SOA_ORACLE_HOME} -Dsoa.instance.home=${DOMAIN_HOME} -Dtangosol.coherence.log=jdk -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Dweblogic.transaction.blocking.commit=true -Dweblogic.transaction.blocking.rollback=true -Doracle.xml.schema/Ignore_Duplicate_Components=true -Doracle.xdkjava.compatibility.version=11.1.1 -Doracle.soa.compatibility.version=11.1.1 -Ddisable-implicit-bean-discovery=true"
export EXTRA_JAVA_PROPERTIES

3. Restart the SOA Server(s).
4. Retry the composite functionality by testing the SOA service.

Ideally the communication should work smoothly as calling environment has necessary SSL certificates installed at respective locations.

Comments

  1. UnknownJanuary 6, 2021 at 2:52 PM

    Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man learn Oracle SOA Online Training

    ReplyDelete
  2. Oracle WebLogic TrainingJanuary 18, 2021 at 10:20 PM

    Simply wish to say your article is as astonishing. The clarity in your post is simply great, and I could assume you are an expert on this subject. Same as your blog i found another one Oracle WebLogic .Actually I was looking for the same information on internet for Oracle WebLogic and came across your blog. I am impressed by the information that you have on this blog. Thanks a million and please keep up the gratifying work.

    ReplyDelete
  3. laxmicynixitNovember 3, 2021 at 12:38 PM

    Thank you for sharing wonderful information with us to get some idea about it.

    soa Online Training Hyderabad

    ReplyDelete

Post a Comment

Popular posts from this blog

Oracle SOA Suite- Implementing Email Notification

-
Image
In this post, I am going to show how to implement email notifications in Oracle SOA Suite using BPEL process. So let's get started- Implementing email notification in Oracle SOA Suite consists of below steps: Environment- IDE- Oracle jDeveloper 11g Weblogic Server 12c Oracle SOA Suite 12c High Level Steps Keep ready email server settings. Configure & enable usermessagingdriver-email for target SOA servers via console. Setting up Email driver (usermessagingdriver-email )with email server settings via enterprise manager. Enable notifications for SOA workflows(make sure either All or EMail option is selected).. Create SOA composite application Deploy it on SOA server. Testing & done. 1. Keep ready email server settings. Keep ready your below email server settings: Outgoing Mail Server          : smtp.domain.com Outgoing Mail Server Port   : xxx Default From Address         : username@doamin.com Outgoing Username            : actualemailid@doma
Read more

Migration of Oracle SOA Suite Composite from 11g to 12c

-
Image
Recently I have came across a scenario where I have a business requirement of  migration of Oracle SOA Suite 11g(11.1.1.7.0) to 12c(12.1.3.0). Below are the different mechanisms I have tried to do, few of them failed and one succeeded. Working in Oracle SOA Suite 11g is completely different from 12c. In 11g, we need to install the jDeveloper(11.1.1.7) then SOA extension separately to be installed either via offline file  (download available at  https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/156082.xml ) or through jDeveloper top menu >>  Help >> Check for Updates >> SOA Extension.  While working with 12c doesn't involves such tedious job. Only single installer is required for jDeveloper/SOA/Weblogic and is available as QuickStart Installer(download available at https://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html). Approach 1- Compress(Zip) SOA composite code of 11g version (11.1.1.7.0) and unzip to a differe
Read more