Configuring TLS/HTTPS for Oracle EBS Integrated SOA Gateway (ISG) in 12.2

Table of Contents

Introduction

Oracle E-Business Suite Integrated SOA Gateway configuration is simplified in EBS 12.2 release. However additional steps are required if your EBS instance is configured for TLS. Actually all the required steps are included in the Doc ID 1367293.1, but may be overlooked as they do not affect the main EBS functionality with TLS. It was the story with me as I just skipped some steps when enabling TLS in one of our dev environments. But later when our developers tried to access ISG and faced errors I had to read the instruction more closely and perform the required steps. In this post I will share my experience.

References

Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)

Diagnostic steps

Make an ISG call that does not work and check the following log file for errors:

$EBS_DOMAIN_HOME/servers/oafm_server1/logs/oafm_server1.out

If you see the following error messages, then you need to configure loopback connections as per Doc ID 1367293.1:

java.lang.ClassCastException: weblogic.net.http.SOAPHttpsURLConnection cannot be cast to javax.net.ssl.HttpsURLConnection

If you don’t see any error messages in the oafm_server1.out, configure the ISG logging as per the following doc and reproduce the issue again:

How to Generate File ISGLog.log for SOAP Services in Release 12.2.X? (Doc ID 2008707.1)

The additional justification: login to the apps node and execute the following command

ps -ef|grep DUseSunHttpHandler|grep -v grep

If no processes are returned, then WLS servers are not configured to use the DUseSunHttpHandler option and it may lead to the issue. If the WLS servers are configured properly you will see an output similar to the following:

Configuration steps

Update the AdminServer and the Managed Server (WLS) Configuration

For the AdminServer, update the context variable

s_nm_jvm_startup_properties

and append the JVM parameters to the end of the line, separated by a space.

-DUseSunHttpHandler=true -Dhttps.protocols=TLSv1.2

Run autoconfig on the apps tier

su - applmgr
cd $ADMIN_SCRIPTS_HOME
./adautocfg.sh

For all managed servers, append the following JVM parameter to all managed servers

Log in to Oracle WebLogic Server Administration console (for example, http://{hostname}.{domain}:{AdminServer Port}/console)

Click on Lock & Edit.

Under Domain Structure > your Oracle E-Business Suite domain > Environment and Servers, select one of the managed servers. (Note that you will need to repeat this for all managed servers in your environment.)

Then under the Server Start tab in the Arguments section, add the following:

-DUseSunHttpHandler=true -Dhttps.protocols=TLSv1.2

Click on Save.

Repeat steps 3 and 4 for all remaining managed servers.

Configure Custom Hostname Verifier

For each of the managed servers and the AdminServer, under the SSL tab, click on Advanced, and set the Hostname Verification to Custom Hostname Verifier and the Custom Hostname Verifier field to

weblogic.security.utils.SSLWLSWildcardHostnameVerifier

This may or may not already be set depending on your existing patch level.

Click on Activate Changes.

Update the truststore with the CA certificate

Get the EBS instance SSL certificate using the browser. Export it into the file. In the below commands it is referred to as EBS_CERTIFICATE.

Also it is required to do the same steps for the load balancer certificate if it is used and different from the EBS certificate.

Reference:
Exception in thread “main” java.lang.NullPointerException Getting Cookie To Invoke REST Services Using Token Base Authentication In ISG (Doc ID 2402157.1)

It is referred as LOAD_BALANCER_CERTIFICATE.

ls -l $ORACLE_HOME/sysman/config/b64InternetCertificate.txt cd $ORACLE_HOME/sysman/config/ cp b64InternetCertificate.txt backup_b64InternetCertificate.txt cat ca.crt>>$ORACLE_HOME/sysman/config/b64InternetCertificate.txt

cd $COMMON_TOP/util/jdk64/jre/lib/security
cp cacerts backup_cacerts
keytool -import -alias Customer_dev -v -keystore cacerts -file ca.crt

cd $OA_JRE_TOP/lib/security
cp cacerts backup_cacerts
keytool -import -alias Customer_dev -v -keystore cacerts -file ca.crt

In case of self signed certificates:

cd $ORACLE_HOME/sysman/config/ cp b64InternetCertificate.txt backup_b64InternetCertificate.txt cat EBS_CERTIFICATE>> $ORACLE_HOME/sysman/config/b64InternetCertificate.txt cat LOAD_BALANCER_CERTIFICATE>> $ORACLE_HOME/sysman/config/b64InternetCertificate.txt

cd $COMMON_TOP/util/jdk64/jre/lib/security
cp cacerts backup_cacerts
keytool -import -alias Customer_dev -v -keystore cacerts -file EBS_CERTIFICATE
keytool -import -alias Customer_Load_Balancer -v -keystore cacerts -file LOAD_BALANCER_CERTIFICATE

cd $OA_JRE_TOP/lib/security
cp cacerts backup_cacerts
keytool -import -alias Customer_dev -v -keystore cacerts -file EBS_CERTIFICATE
keytool -import -alias Customer_Load_Balancer -v -keystore cacerts -file LOAD_BALANCER_CERTIFICATE

Note: The default cacerts keystore password: changeit

Restart the application services

su - applmgr
cd $ADMIN_SCRIPTS_HOME
./adstpall.sh apps/****
./adstrtal.sh apps/****

Verify the weblogic server startup options

ps -ef|grep DUseSunHttpHandler

Make sure it returns the all weblogic server processes (Admin and managed) using the above option.

Test the connection to the ISG rest service

https://ebs_url/webservices/rest/login

If it is successful then the configuration complete.
The response should look like:

Run fs_clone

Run adop phase=fs_clone to propagate the changes to the patch filesystem.

adop phase=fs_clone

Author: Alexander Pavlik

Find out more

Features

Discover how Blitz Report™ simplifies report creation out of the Oracle E-Business Suite.

Download

Blitz Report™ is completely free
up to 30 different reports

FAQ

What is Blitz Report™?
Why do I need Blitz Report™?