Service Bus 12c– One way SSL

In this post, we will see how to configure Service Bus to use One way SSL.

Here, we are not discussing about the SSL concepts and people who want to go through quick introduction of SSL can go through this.

In Summary, following are the steps to be followed:

  • Generate Custom Identity and Trust stores.
  • Enable SSL port.
  • Setting up the keystores.
  • Configure private keys for SSL

Please note that, JSSE (Java Secure Socket Extension)  is the only supported SSL implementation. The Certicom-based SSL implementation is removed and is no longer supported in WebLogic Server.

Create a folder keystores %FMW_HOME% to store all of your keystores used and issue the following command to generate a keystore for Admin server use as shown below.

keytool -genkeypair -keyalg RSA -alias localadmin -keystore adminkeystore.jks -storepass adjks123 -validity 360 -keysize 2048


This creates keystore adminkeystore.jks having both public and the private keys with alias localadmin. You can observe the contents of keystore using the following command.

keytool -list -v -keystore adminkeystore.jks


Similarly, create other keystores to use for OSB and SOA managed servers and also a keystore to use for the client as shown below.


Enable SSL port by navigating to Environment –> Severs-> Admin Sever –> General.


By Default, WLS uses the Demo Identity and Trust keystores and you can find them in %DOMAIN_HOME/security and %WLS_HOME%/server/lib. Oracle strictly recommends to use the Custom keystores at least for the Production environments. Hence we will use the custom keystores in this post.

Go to Keystores tab and click Change.


Select Custom Identity and Custom  Trust as shown below and click Save.


Modify Custom Identity and Trust stores as shown below and here you also need to give keystore password. Click Save.


Go to SSL tab and give the Private key alias as shown below.


Go to Advanced settings and set Hostname verification to None and also set Two way Client Cert Behavior to Clients Certs not Required as we are doing setup for 1-way SSL. This setting will enforce WLS server not to request client certificates.


Modify EXTRA_JAVA_PROPERTIES  in setDomainEnv.cmd to use following parameters and restart the admin server. This is required as to instruct WLS server to load trusted certificates.\Oracle\Middleware\FMW1213New \keystores\adminkeystore.jks

Now you should be able to access WLS admin console using following URL and this confirm the SSL is configured on your admin server.


You can refer to WLS documentation here for more information on this.

The following error is observed when we use a keystore as Trust store with zero trust certificates.

<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer] TRUSTSTORE_MANAGER: No certs to
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer] TRUSTSTORE_MANAGER: No trusted
CAs available to populate trust anchors.>
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer] TRUSTSTORE_MANAGER: Error initi
alizing trust manager factory: the trustAnchors parameter must be non-empty. the trustAnchors parameter must be non-empty

To debug SSL, modify EXTRA_JAVA_PROPERTIES  in setDomainEnv.cmd to include the following parameters.

-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

To enable debugging include the following parameter.

To eliminate this error, you can install any trust certificate into localadmin.jks or use cacerts keystore (available in %WLS_HOME%/server/lib) as Trust store. Here i have exported Public Certificate from clientkeystore.jks and got that imported into localadmin.jks.

Use the following command to export:

            keytool -exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

Use the following command to import:

             keytool -importcert -alias localclient -keystore adminkeystore.jks -file localclient.cer

Now verify the contents of your keystore as below.

              keytool -list -v -keystore adminkeystore.jks


Similarly, configure OSB managed server using keystore osbkeystore.jks and use 7005 as the SSL port. Restart the OSB server after your changes.




To enable your proxy services to be accessed only by SSL, you have to enable HTTPS option as below.


Now if you try to access your Proxy Service WSDL from browser, it will be automatically uses SSL as shown below.


Most of the people uses SOAP UI to test their webservices. If you try to access this WSDL, you will be able to access from SOAP UI even without adding the required certificates to trust store. This is because SOAP UI trusts all by default as per this forum post.

To confirm the enablement of SSL on the Proxy Service, let us try to create a Webservice Proxy in JDeveloper that prompts to accept/trust the certificate.



When you enable SSL debugging, you might observe the following exception in server log though your 1-way SSL works as expected. As per Oracle Support note 1606295.1, this is not a harmful exception.

<1425221899641> <BEA-000000> <Exception processing certificates: peer not authenticated peer not authenticated
at weblogic.servlet.provider.WlsSecurityProvider.getSSLAttributes(
at weblogic.servlet.internal.VirtualConnection.initSSLAttributes(
at weblogic.servlet.internal.VirtualConnection.init(
at weblogic.servlet.internal.ServletRequestImpl.initFromRequestParser(
at weblogic.servlet.internal.HttpConnectionHandler.dispatch(
at weblogic.servlet.internal.MuxableSocketHTTP.dispatch(
at weblogic.socket.JSSEFilterImpl.dispatch(
at weblogic.socket.MuxableSocketDiscriminator.dispatch(
at weblogic.socket.JSSEFilterImpl.dispatch(
at weblogic.socket.SocketMuxer.readReadySocketOnce(
at weblogic.socket.SocketMuxer.readReadySocket(
at weblogic.socket.NIOSocketMuxer.process(
at weblogic.socket.NIOSocketMuxer.processSockets(
at weblogic.socket.SocketReaderRequest.execute(
at weblogic.kernel.ExecuteThread.execute(


4 Responses to “Service Bus 12c– One way SSL”

  1. 1 Rajesh Kanna December 21, 2015 at 6:55 PM

    Hi There,
    Your post is really helpful. I have tried above steps. When i tried to access the proxy service via browser, i am getting an error as “Webpage is not available”. Please could you help me resolve this error?

    • 2 svgonugu December 21, 2015 at 11:41 PM

      Can u check the url once again..also make sure that you enabled ssl for your proxy service..

      • 3 Mike Arbeed June 12, 2020 at 4:34 AM


        We followed yous steps but it seems we couldn’t tell in your keystore steps whan path you provided for the . we provided the path to the admin keystore we created earlier in the post but that didn’t work.

        Custom Identity Keystore: D:\webapps\scommon\jdk\jdk1.8\bin\keystore\adminkeystore.jks
        Custom Trust Keystore:

        We can’t load the console with port 7002. Any reason why?

  1. 1 Service Bus 12c – Series of Articles | Siva's Blog Trackback on March 31, 2015 at 6:01 PM

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 379 other subscribers

Enter your email address to follow this blog and receive notifications of new posts by email.

%d bloggers like this: