Oracle SOA 12c REST Service, Digicert Certificate - Unable to find certification path to requested target

oracle soaoracle middlewaresslssl certificatesweblogicrestweb service
Written By devnumbertwo blog

Oracle SOA Version: 12.2.1.4

Service Style: REST

Certificate Authority: Digicert

When testing a REST Service deployed on Weblogic SOA, your fault returns:

unable to find valid certification path to requested target

Oracle states that you must have your SSL cert imported into ALL 3 locations below:

  1. JDK's cacerts - Example: /java/jdk1.8.0_321/jre/lib/security/cacerts 

  2. JKS Keystore - if you’ve configured your Weblogic servers to use a trust store different from the JDK’s cacerts above

  3. KSS Keystore - kss://system/trust (access through EM)

However, even with all of these fulfilled, our REST Service continued to return the error.

After many hours of troubleshooting, we discovered the below scenario actually works:

  1. SOA Managed servers are started with the WLS Admin Console (NOT with the command line startManagedWeblogic.sh)

  2. the custom SSL cert is only imported into the trust store specified in the SOA Managed Servers’s SSL settings (our trust store was different than the JDK’s cacerts)

  3. the custom SSL cert is NOT located in the JDK cacerts

  4. the custom SSL cert is NOT located in the KSS Keystore

Of course, you will still want your REST Service to work even though someone decides to start the SOA servers through command line.

So, The Fix:

  1. Ensure your SSL cert chain is in your keystore and trust store set on the SOA server settings

  2. Import Digicert’s root cert into the KSS Keystore

This is a strange fix for sure but we’ve tried it, and it works.

devnumbertwo blog
Previous

Find out how much swap a process is using on Linux
Next

Customizing the look (and other defaults) of your Dialogflow Agent