As part of the Soaring through the Clouds demo of 17 Oracle Public Cloud services, I had to integrate SOA CS with both ACCS (Application Container Cloud) and ICS (Integration Cloud Service).
Calls from Service Bus and SOA Composites running in SOA Suite 12c on SOA CS to endpoints on ACCS (Node.js Express applications) and ICS (REST connector endpoint) were required in this demo. These calls are over SSL (to https endpoints) and for ICS also require basic authentication (at present, ICS endpoints cannot be invoked anonymously).
This article shows the steps for taking care of these two aspects:
- ensure that the JVM under SOA Suite on SOA CS knows and trusts the SSL certificate for ACCS or ICS
- ensure that the call from SOA CS to ICS carries basic authentication details
The starting point is a SOA Composite that corresponds with the preceding figure – with external references to DBaaS (through Database Adapter), ICS (to call an integration that talks to Twitter) and ACCS (to invoke a REST API on NodeJS that calls out to the Spotify API):
Configure SSL Certificate on JVM under SOA Suite on SOA CS
I have tried to deploy the SOA composite (successful) and invoke the TweetServiceSOAP endpoint (that invokes ICS) (not successful). The first error I run into is:
env:Serverjavax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetoracle.sysman.emInternalSDK.webservices.util.SoapTestException: Client received SOAP Fault from server : javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This may sound a little cryptic, but is actually quite simple: the endpoint for the ICS service I am trying to invoke is: https://ics4emeapartner-partnercloud17.integration.us2.oraclecloud.com/integration/flowapi/rest/ACEDEM_RESTME_… The essential is right at the beginning: https. The communication with the endpoint is secure, over SSL. This requires the certificate of the ICS server to be used by SOA CS (in particular the JVM under WebLogic running SOA Suite on the SOA CS instance). For this to happen, the certificate needs to be configured with the JVM as a trusted certificate.
With WebLogic 12c it has become a lot easier to register certificates with the server – going through the Enterprise Manager Fusion Middleware Control. These are the steps:
1. Paste the endpoint for the ICS service in the browser’s location bar and try to access it; this will not result in a meaningful response. It will however initiate an SSL connection between browser and server, as you can tell from the padlock icon displayed to the left of the location bar
2. Click on the padlock icon, to open the details for the SSL certificate
Open the Security tab and click on View Certificate
3. Open the Details tab and Export the Certificate
Save the certificate to a file:
4. Open the Enterprise Manager Fusion Middleware Control for the WebLogic Domain under the SOA CS instance. Navigate to Security | Keystore:
5. Select Stripe system | trust and click on the Manage button
6. Click on Import to import a new certificate:
Select Trusted Certificate as the Certificate Type. Provide an alias to identify the certificate.
Click browse and select the file that was saved when exporting the certificate in step 3:
Click OK.
The Certificate is imported and added to the keystore:
7. Restart the WebLogic Domain (admin server and all managed servers)
Unfortunately for the new certificate to become truly available, a restart is (still) required. (or at least, that is my understanding, perhaps you can try without because it seems like a very heavy step)
This blog by Adam DesJardin from our REAL partner AVIO Consulting provided much of the answer: http://www.avioconsulting.com/blog/soa-suite-12c-and-opss-keystore-service
Add basic authentication to the call from SOA CS to ICS
When I again tested my call to the TweetServiceSOAP endpoint (that invokes ICS), I was again not successful. This time, a different exception occurred:
env:ServerAuthorization Requiredoracle.sysman.emInternalSDK.webservices.util.SoapTestException: Client received SOAP Fault from server : Authorization Required
This is not really a surprise: all calls to ICS endpoints require basic authentication (because at present, ICS endpoints cannot be invoked anonymously). These are the steps to make this successful:
1. Create an Oracle Public Cloud user account with one permission: call ICS services: johndoe
Now we need to a credential for jonhdoe in a credential map in the credential store in WebLogic, and refer to that credential in a OWMS Security Policy that we add to the Reference in the SOA Composite that makes the call to ICS.
2. Open the Enterprise Manager Fusion Middleware Control for the WebLogic Domain under the SOA CS instance. Navigate to Security | Credentials:
3. If the map oracle.wsm.security does not yet exist, click on Create Map. Enter the name oracle.wsm.security in the Map Name field and click on OK.
4. Select the map oracle.wsm.security and click on Create Key
Set the Key for this credential; the key is used to refer to the credential in the security policy. Here I use ICSJohnDoe.
Set the type of Password and the username and password to the correct values for the ICS user. Click on OK to create.
5. Add a security policy to the Reference in the SOA Composite.
In JDeveloper open the SOA Composite. Right click on the Reference. Select Configure SOA WS Policies from the context menu.
Click on the plus icon in the category Security. Select oracle/http_basic_auth_over_ssl_client_policy.
Set the value of property csf-key to the Key value defined for the credential in step 4, in my case ICSJohnDoe.
Click on OK.
6. Redeploy the SOA Composite to SOA CS.
This time when I invoke the Web Service, my Tweet gets published:
The flow trace for the SOA Composite:
Resources
A-Team Article – add certificate to JCS and invoke JCS from ICS – http://www.ateam-oracle.com/configuring-https-between-integration-cloud-service-and-java-cloud-service/
Hi Lucas
My requirement is to invoke ICS service from OnPremise SOA (Not SOACS). I followed all the steps from your post, but facing javax.net.ssl.SSLHandshakeException: .
0oracle.fabric.common.FabricInvocationException: javax.xml.ws.WebServiceException: Could not determine wsdl ports. WSDLException: faultCode=PARSER_ERROR: Failed to read wsdl file at: “https://xxxxxxxxxx.integration.us2.oraclecloud.com/integration/flowsvc/soap/OCC_GET_PRODUCTS/v01/?wsdl”, caused by: javax.net.ssl.SSLHandshakeException.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
null
unable to find valid certification path to requested targetCould you please advise.
Thanks
Venkat.