Archive for March, 2015

Service Bus 12c– Outbound SSL

In the last 2 posts, we have seen how to configure Service Bus to use 1-Way SSL and 2-Way SSL. In both of these scenarios, our Service Bus managed server is acting as Server but our server can also become a Client when talking to external services using the Business Services having SSL enabled. So we will discuss about Outbound SSL in this post.

1-Way SSL

Before getting into the required OSB setup, enable our SOAP UI mock service to use SSL. Go to File –> Preferences –> SSL Settings and set properties as shown below.


Access your mock service as shown below to confirm that SSL is enabled.


Now update the business service endpoint URI with this URL in the Service Bus Console as shown below.


Now test your business service and you can observe following error in server logs. This is because you have not yet updated the OSB server trust store with the certificate of SOAP UI mock service.



So now export the Public Certificate from the keystore used for mock service and import into OSB trust store using following commands.

keytool –exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

keytool -importcert -alias localclient -keystore osbkeystore.jks -file localclient.cer

Now test your Business Service to see the response as given below.


2-Way SSL

In case of 2-way SSL, our Proxy Service acts as client and need to send the corresponding Public Certificate when server requests(in our case, it’s SOAP UI Mock Service).

In Service Bus, the resource Service Key Provider is used to retrieve the required PKI credentials that  includes Private key paired with a certificate. Proxy services use this key-pair to authenticate when acting as a client during an outbound SSL i.e. during routing a message to HTTPS business service or proxy service requiring Client Certificate authentication. You can find more information in Service Bus documentation here.

Service Key Provider makes use of PKI credential mapper  to retrieve the PKI credentials which has to be created first.

PKI Credential Mapper

In WLS admin console, navigate to Security Realms –> myrealm –> Providers –> Credential Mapping. Click New.


Give name and select Type as PKICredentialMapper and Click OK.


Verify that new credential mapping provider is created.


Now click SSLPKIProvider and navigate to Provider Specific tab. Mention the Keystore and Pass Phrase specific to OSB managed server and click Save.


Service Key Provider

We will directly use the sbconsole for creating the Service Key Provider and to make other required changes for Business and Proxy Services.

Create a OSB session and select Service Key Provider from drop down menu as shown below once you select the Service Bus Project.


Provide the name and click Create.


Now the Service Provider Definition look like as below. Since we are using this for SSL purpose click search icon for SSL Client Authentication Key.


Choose the Key Alias as shown below and provide the password.


Click OK to bring up following screen and Save your changes done for Service Key Provider. Do activate Service Bus session.


Soap UI Settings

Before proceeding with Proxy and Business service changes, you have to enable the SOAP UI mock service to request for Client Certificate.

To do this, navigate to File –> Preferences –> SSL Settings and choose Client Authentication as shown below.


Now test your Proxy Service to observe the following errors in response tab, jetty log and Service Bus logs respectively. This happens as we have not yet imported OSB server Public Certificate into clientkeystore.jks and also did not configure our Proxy/Business Service to send the client Certificate.




Export OSB server public certificate and import into clientkeystore.jks using following commands.

keytool -exportcert -alias localosb –keystore osbkeystore.jks –file osbcert.cer

keytool -importcert -alias localosb -keystore clientkeystore.jks –file osbcert.cer


With this, we are done with the SOAP UI settings and let us proceed  with the changes required for Proxy and Business Services.

Proxy and Business Service changes

Open business service and navigate to Transport Detail tab. Select Client Certificate as shown below for Authentication and save changes.


Open proxy service and navigate to Security –> Security Settings tab. Click search icon for Service Key Provider.


Click Search and select the one that we have created earlier as shown below and click OK.


Now Security tab should show your selection as below.


Remember that you have to create OSB session before making changes and need to activate it once your changes are done.

You should see successful response as shown below, if you test your proxy service now.


Please note that above logs are generated when following JVM options are set in setDomainEnv.cmd file for EXTRA_JAVA_PROPERTIES.

           -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true


Service Bus 12c– Two way SSL

In this post, we will see how to enable two-way SSL in Service Bus 12c. The steps mentioned here have to be performed in addition to steps mentioned in the previous post.

Navigate to Servers –> osb_server1 –> SSL in WLS Admin Console. Expand Advanced section and set Two Way Client Cert Behavior as shown below. This would enforce WLS to request the Client certificate during SSL handshake and will result into an error if the client certificate is not present in trust store.


Now create a keystore clientkeystore1.jks using following command and will  be used in SOAP UI.

keytool -genkeypair -keyalg RSA -alias localclient1 -keystore clientkeystore1.jks -storepass cljks123 -validity 360 -keysize 2048

Set global SSL Settings in SOAP UI as shown below by navigating to File –> Preferences. Specify the above created keystore and  password.


Restart OSB managed server. Now if you test your Proxy Service from SOAP UI, you would see an error like below in the server log as the trust store does not have the client certificate.


So export and import corresponding Client Certificate into the OSB trust store using following commands.

keytool -exportcert -alias localclient1 -keystore clientkeystore1.jks -file localclient1.cer

keytool -importcert -alias localclient1 -keystore osbkeystore.jks -file localclient1.cer


Now test your Proxy Service from SOAP UI and you would see the response as expected without any error. And now the server log will be shown like below.


Please note that above logs are generated when following JVM options are set in setDomainEnv.cmd file for EXTRA_JAVA_PROPERTIES.

           -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

ADF–Using bind variable with IN clause

Using IN clause is very common requirement when working with the ADF View Objects and rows have to be filtered on multiple values of the same attribute.

In this blog, Jobinesh shows a way to achieve this requirement using the bind variable. The same approach is not working when we have to use the multiple columns in IN clause like below:

                     select * from tableA where (col1,col2,col3) IN ()

We can use the following code to achieve this and have tested in ADF 11g.

import oracle.jbo.domain.Array;
import oracle.jbo.domain.DomainContext;
import oracle.sql.ArrayDescriptor;
import oracle.sql.STRUCT;
import oracle.sql.StructDescriptor;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
/* create the DB object and table as below
create or replace TYPE DB_OBJECT AS OBJECT(
destcol1 varchar2(100 char), destcol2 number,destcol3 varchar2(100 char),destcol4 number );
public void setVOArrayBindVariable(){
Connection conn = null;
PreparedStatement stmt = null;
StructDescriptor structDescriptor = null;
ArrayList<STRUCT> arrayList = new ArrayList<STRUCT>();
stmt = getDBTransaction().createPreparedStatement("select 1 from dual", 0);
conn = stmt.getConnection();
structDescriptor = StructDescriptor.createDescriptor("DB_OBJECT",conn);
//loop through and populate your arrayList with the values to be used in IN clause
for (int j = 0; j < 10; j++) {
// constucting the Object to create struct definition
Object[] o = new Object[]{getValue1(), getValue2(),getValue3(),getValue4()};
STRUCT item = new STRUCT(structDescriptor,conn,o);
conn.createStruct("DB_OBJECT", o);
if(eventDataIdList.size() > 0){
ArrayDescriptor tableArray = ArrayDescriptor.createDescriptor("DB_TABLE", conn);
Array domainArray = new Array(tableArray,conn,arrayList.toArray());
//set the bind variable. your VO should have bind variable of type oracle.jbo.domain.Array
//execute the query
} catch (SQLException sqlex) {
//do log the error
} catch (Exception ex) {
//do log the error
} finally {
try {
} catch (SQLException sqlex) {
//do log the error
/* your getCriteriaItemClause() code look like below */
public String getCriteriaItemClause(){
//do the following only for your VC and VC item. details are omitted here
String whereClause = "(1=1)";
String eoName = this.getEntityDef(0).getAliasName();
if(getbindDomainArray() != null){
whereCluase =
" (" +eoName + ".col1,"+eoName + ".col2,"+eoName + ".col3,"+ eoName+".col4)" +
" IN (SELECT destcol1, destcol2, destcol3, destcol4 FROM TABLE(:bindDomainArray))";
return whereClause;

Service Bus 12c– One way SSL

In this post, we will see how to configure Service Bus to use One way SSL.

Here, we are not discussing about the SSL concepts and people who want to go through quick introduction of SSL can go through this.

In Summary, following are the steps to be followed:

  • Generate Custom Identity and Trust stores.
  • Enable SSL port.
  • Setting up the keystores.
  • Configure private keys for SSL

Please note that, JSSE (Java Secure Socket Extension)  is the only supported SSL implementation. The Certicom-based SSL implementation is removed and is no longer supported in WebLogic Server.

Create a folder keystores %FMW_HOME% to store all of your keystores used and issue the following command to generate a keystore for Admin server use as shown below.

keytool -genkeypair -keyalg RSA -alias localadmin -keystore adminkeystore.jks -storepass adjks123 -validity 360 -keysize 2048


This creates keystore adminkeystore.jks having both public and the private keys with alias localadmin. You can observe the contents of keystore using the following command.

keytool -list -v -keystore adminkeystore.jks


Similarly, create other keystores to use for OSB and SOA managed servers and also a keystore to use for the client as shown below.


Enable SSL port by navigating to Environment –> Severs-> Admin Sever –> General.


By Default, WLS uses the Demo Identity and Trust keystores and you can find them in %DOMAIN_HOME/security and %WLS_HOME%/server/lib. Oracle strictly recommends to use the Custom keystores at least for the Production environments. Hence we will use the custom keystores in this post.

Go to Keystores tab and click Change.


Select Custom Identity and Custom  Trust as shown below and click Save.


Modify Custom Identity and Trust stores as shown below and here you also need to give keystore password. Click Save.


Go to SSL tab and give the Private key alias as shown below.


Go to Advanced settings and set Hostname verification to None and also set Two way Client Cert Behavior to Clients Certs not Required as we are doing setup for 1-way SSL. This setting will enforce WLS server not to request client certificates.


Modify EXTRA_JAVA_PROPERTIES  in setDomainEnv.cmd to use following parameters and restart the admin server. This is required as to instruct WLS server to load trusted certificates.\Oracle\Middleware\FMW1213New \keystores\adminkeystore.jks

Now you should be able to access WLS admin console using following URL and this confirm the SSL is configured on your admin server.


You can refer to WLS documentation here for more information on this.

The following error is observed when we use a keystore as Trust store with zero trust certificates.

<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer] TRUSTSTORE_MANAGER: No certs to
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer] TRUSTSTORE_MANAGER: No trusted
CAs available to populate trust anchors.>
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer] TRUSTSTORE_MANAGER: Error initi
alizing trust manager factory: the trustAnchors parameter must be non-empty. the trustAnchors parameter must be non-empty

To debug SSL, modify EXTRA_JAVA_PROPERTIES  in setDomainEnv.cmd to include the following parameters.

-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

To enable debugging include the following parameter.

To eliminate this error, you can install any trust certificate into localadmin.jks or use cacerts keystore (available in %WLS_HOME%/server/lib) as Trust store. Here i have exported Public Certificate from clientkeystore.jks and got that imported into localadmin.jks.

Use the following command to export:

            keytool -exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

Use the following command to import:

             keytool -importcert -alias localclient -keystore adminkeystore.jks -file localclient.cer

Now verify the contents of your keystore as below.

              keytool -list -v -keystore adminkeystore.jks


Similarly, configure OSB managed server using keystore osbkeystore.jks and use 7005 as the SSL port. Restart the OSB server after your changes.




To enable your proxy services to be accessed only by SSL, you have to enable HTTPS option as below.


Now if you try to access your Proxy Service WSDL from browser, it will be automatically uses SSL as shown below.


Most of the people uses SOAP UI to test their webservices. If you try to access this WSDL, you will be able to access from SOAP UI even without adding the required certificates to trust store. This is because SOAP UI trusts all by default as per this forum post.

To confirm the enablement of SSL on the Proxy Service, let us try to create a Webservice Proxy in JDeveloper that prompts to accept/trust the certificate.



When you enable SSL debugging, you might observe the following exception in server log though your 1-way SSL works as expected. As per Oracle Support note 1606295.1, this is not a harmful exception.

<1425221899641> <BEA-000000> <Exception processing certificates: peer not authenticated peer not authenticated
at weblogic.servlet.provider.WlsSecurityProvider.getSSLAttributes(
at weblogic.servlet.internal.VirtualConnection.initSSLAttributes(
at weblogic.servlet.internal.VirtualConnection.init(
at weblogic.servlet.internal.ServletRequestImpl.initFromRequestParser(
at weblogic.servlet.internal.HttpConnectionHandler.dispatch(
at weblogic.servlet.internal.MuxableSocketHTTP.dispatch(
at weblogic.socket.JSSEFilterImpl.dispatch(
at weblogic.socket.MuxableSocketDiscriminator.dispatch(
at weblogic.socket.JSSEFilterImpl.dispatch(
at weblogic.socket.SocketMuxer.readReadySocketOnce(
at weblogic.socket.SocketMuxer.readReadySocket(
at weblogic.socket.NIOSocketMuxer.process(
at weblogic.socket.NIOSocketMuxer.processSockets(
at weblogic.socket.SocketReaderRequest.execute(
at weblogic.kernel.ExecuteThread.execute(


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 379 other subscribers

Enter your email address to follow this blog and receive notifications of new posts by email.

%d bloggers like this: