Oracle Public Cloud – Invoking ICS endpoints from SOA CS – configure SSL certificate and basic authentication

0
Share this on .. Tweet about this on TwitterShare on LinkedIn1Share on Facebook0Share on Google+0Email this to someoneShare on Tumblr0Buffer this page

As part of the Soaring through the Clouds demo of 17 Oracle Public Cloud services, I had to integrate SOA CS with both ACCS (Application Container Cloud) and ICS (Integration Cloud Service).

image

Calls from Service Bus and SOA Composites running in SOA Suite 12c on SOA CS to endpoints on ACCS (Node.js Express applications) and ICS (REST connector endpoint) were required in this demo. These calls are over SSL (to https endpoints) and for ICS also require basic authentication (at present, ICS endpoints cannot be invoked anonymously).

This article shows the steps for taking care of these two aspects:

  • ensure that the JVM under SOA Suite on SOA CS knows and trusts the SSL certificate for ACCS or ICS
  • ensure that the call from SOA CS to ICS carries basic authentication details

The starting point is a SOA Composite that corresponds with the preceding figure – with external references to DBaaS (through Database Adapter), ICS (to call an integration that talks to Twitter) and ACCS (to invoke a REST API on NodeJS that calls out to the Spotify API):

image

Configure SSL Certificate on JVM under SOA Suite on SOA CS

I have tried to deploy the SOA composite (successful) and invoke the TweetServiceSOAP endpoint (that invokes ICS) (not successful). The first error I run into is:

env:Serverjavax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetoracle.sysman.emInternalSDK.webservices.util.SoapTestException: Client received SOAP Fault from server : javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

image

This may sound a little cryptic, but is actually quite simple: the endpoint for the ICS service I am trying to invoke is: https://ics4emeapartner-partnercloud17.integration.us2.oraclecloud.com/integration/flowapi/rest/ACEDEM_RESTME_… The essential is right at the beginning: https. The communication with the endpoint is secure, over SSL. This requires the certificate of the ICS server to be used by SOA CS (in particular the JVM under WebLogic running SOA Suite on the SOA CS instance). For this to happen, the certificate needs to be configured with the JVM as a trusted certificate.

With WebLogic 12c it has become a lot easier to register certificates with the server – going through the Enterprise Manager Fusion Middleware Control. These are the steps:

1. Paste the endpoint for the ICS service in the browser’s location bar and try to access it; this will not result in a meaningful response. It will however initiate an SSL connection between browser and server, as you can tell from the padlock icon displayed to the left of the location bar

image

2. Click on the padlock icon, to open the details for the SSL certificate

SNAGHTML1005017

Open the Security tab and click on View Certificate

SNAGHTML100be83

3. Open the Details tab and Export the Certificate

SNAGHTML101da3d

Save the certificate to a file:

SNAGHTML10236cd

4. Open the Enterprise Manager Fusion Middleware Control for the WebLogic Domain under the SOA CS instance. Navigate to Security | Keystore:

image

5. Select Stripe system | trust and click on the Manage button

image

6. Click on Import to import a new certificate:

image

Select Trusted Certificate as the Certificate Type. Provide an alias to identify the certificate.

Click browse and select the file that was saved when exporting the certificate in step 3:

image

Click OK.

The Certificate is imported and added to the keystore:

image

7. Restart the WebLogic Domain (admin server and all managed servers)

Unfortunately for the new certificate to become truly available, a restart is (still) required. (or at least, that is my understanding, perhaps you can try without because it seems like a very heavy step)

This blog by Adam DesJardin from our REAL partner AVIO Consulting provided much of the answer: http://www.avioconsulting.com/blog/soa-suite-12c-and-opss-keystore-service

 

Add basic authentication to the call from SOA CS to ICS

When I again tested my call to the TweetServiceSOAP endpoint (that invokes ICS), I was again not successful. This time, a different exception occurred:

env:ServerAuthorization Requiredoracle.sysman.emInternalSDK.webservices.util.SoapTestException: Client received SOAP Fault from server : Authorization Required

This is not really a surprise: all calls to ICS endpoints require basic authentication (because at present, ICS endpoints cannot be invoked anonymously). These are the steps to make this successful:

1. Create an Oracle Public Cloud user account with one permission: call ICS services: johndoe

Now we need to a credential for jonhdoe in a credential map in the credential store in WebLogic, and refer to that credential in a OWMS Security Policy that we add to the Reference in the SOA Composite that makes the call to ICS.

2. Open the Enterprise Manager Fusion Middleware Control for the WebLogic Domain under the SOA CS instance. Navigate to Security | Credentials:

image

3. If the map oracle.wsm.security does not yet exist, click on Create Map. Enter the name oracle.wsm.security in the Map Name field and click on OK.

image

4. Select the map oracle.wsm.security and click on Create Key

image

Set the Key for this credential; the key is used to refer to the credential in the security policy. Here I use ICSJohnDoe.

image

Set the type of Password and the username and password to the correct values for the ICS user. Click on OK to create.

image

5. Add a security policy to the Reference in the SOA Composite.

In JDeveloper open the SOA Composite. Right click on the Reference. Select Configure SOA WS Policies from the context menu.

image

Click on the plus icon in the category Security. Select oracle/http_basic_auth_over_ssl_client_policy.

image

Set the value of property csf-key to the Key value defined for the credential in step 4, in my case ICSJohnDoe.

Click on OK.

6. Redeploy the SOA Composite to SOA CS.

 

This time when I invoke the Web Service, my Tweet gets published:

image

The flow trace for the SOA Composite:

image

Resources

A-Team Article – add certificate to JCS and invoke JCS from ICS – http://www.ateam-oracle.com/configuring-https-between-integration-cloud-service-and-java-cloud-service/

    Share this on .. Tweet about this on TwitterShare on LinkedIn1Share on Facebook0Share on Google+0Email this to someoneShare on Tumblr0Buffer this page

    About Author

    Lucas Jellema, active in IT (and with Oracle) since 1994. Oracle ACE Director for Fusion Middleware. Consultant, trainer and instructor on diverse areas including Oracle Database (SQL & PL/SQL), Service Oriented Architecture, BPM, ADF, JavaScript, Java in various shapes and forms and many other things. Author of the Oracle Press books: Oracle SOA Suite 11g Handbook and Oracle SOA Suite 12c Handbook. Frequent presenter on conferences such as JavaOne and Oracle OpenWorld. Presenter for Oracle University Celebrity specials.

    Leave A Reply