Oracle SOA Version: 12.2.1.4

Service Style: REST

Certificate Authority: Digicert

When testing a REST Service deployed on Weblogic SOA, your fault returns:

Oracle states that you must have your SSL cert imported into ALL 3 locations below:

1. JDK's cacerts - Example: /java/jdk1.8.0_321/jre/lib/security/cacerts 

2. JKS Keystore - if you’ve configured your Weblogic servers to use a trust store different from the JDK’s cacerts above

3. KSS Keystore - kss://system/trust (access through EM)

However, even with all of these fulfilled, our REST Service continued to return the error.

After many hours of troubleshooting, we discovered the below scenario actually works:

1. SOA Managed servers are started with the WLS Admin Console (NOT with the command line startManagedWeblogic.sh)

2. the custom SSL cert is only imported into the trust store specified in the SOA Managed Servers’s SSL settings (our trust store was different than the JDK’s cacerts)

3. the custom SSL cert is NOT located in the JDK cacerts

4. the custom SSL cert is NOT located in the KSS Keystore

Of course, you will still want your REST Service to work even though someone decides to start the SOA servers through command line.

So, The Fix:

1. Ensure your SSL cert chain is in your keystore and trust store set on the SOA server settings

2. Import Digicert’s root cert into the KSS Keystore

This is a strange fix for sure but we’ve tried it, and it works.