Last Updated: February 25, 2016
· rogerdipas

Accessing a SSL WebService from Weblogic server

Sometimes some of the webservices software you are consuming are protected by using SSL, and nor SOA composites neither OSB proxies will be able to reach them.

To deal with this, you need to add the third party certificate to the Java VM keystore.

There is information over the internet about this, but sometimes is quite mixed, so this is the way I could solve it. Hope it works for you!

In order to get the third party Certificate, you need to download it.


Click on see Certificate (Ver Certificado)


Then Go to details and export the certificate:


Once downloaded as a .crt file, upload it to the server.

In the server, you have to add this certificate to the Java Keystore. For that, you need only to execute this command:

${ORACLE_HOME}/product/jrockit-jdk1.6.0_20-R28.1.0-4.0.1/bin/keytool -import -alias [AliasForYourCertificate]  -keystore ${ORACLE_HOME}/Middleware/wlserver_10.3/server/lib/DemoTrust.jks -file /home/oracle/[YourCertFile].crt

You can see that /home/oracle/[YourCertFile].crt should be the downloaded cert
[AliasForYourCertificate] is an alias for the cert trust rule
KeyTool will ask then for a pass phrase; the default one for this demo keystore is "DemoTrustKeyStorePassPhrase".

If at any time you need pass phrases for other components, those are: "DemoTrustKeyStorePassPhrase", "DemoIdentityKeyStorePassPhrase", "DemoIdentityPassPhrase", changeit (this last one for the java default keystore, located in ${ORACLEHOME}/product/jrockit-jdk1.6.020-R28.1.0-4.0.1/jre/lib/security/cacerts)

You can check if the add was succesfull listing the certificates:

${ORACLE_HOME}/product/jrockit-jdk1.6.0_20-R28.1.0-4.0.1/bin/keytool -list -keystore ${ORACLE_HOME}/Middleware/wlserver_10.3/server/lib/DemoTrust.jks

In my case, it printed:

Your keystore contains 5 entries

certgenca, Mar 22, 2002, trustedCertEntry,
Certificate fingerprint (MD5): 8E:AB:55:50:A4:BC:06:F3:FE:C6:A9:72:1F:4F:D3:89

wlsdemocanew2, Jan 24, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 5B:10:D5:3C:C8:53:ED:75:43:58:BF:D5:E5:96:1A:CF

wlsdemocanew1, Jan 24, 2003, trustedCertEntry,
Certificate fingerprint (MD5): A1:17:A1:73:9B:70:21:B9:72:85:4D:83:01:69:C8:37

wlscertgencab, Jan 24, 2003, trustedCertEntry,
Certificate fingerprint (MD5):       A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE

and you should see

[AliasForYourCertificate], Aug 31, 2012, trustedCertEntry,
Certificate fingerprint (MD5): 3A:14:EA:C7:E9:53:B8:B8:09:95:71:89:68:1D:D8:79

Now you have to restart Weblogic’s Admin server. I’m not sure if there is need to restart SOA.
In the Composite, the references that connect to the SSL Services should contain the following policies/properties:

<reference name="Service2"
<interface.wsdl interface="http://*****#wsdl.interface(*****)"/>
< port="http://*****#wsdl.endpoint(ClinicalStudyInterface_SF_Service/ClinicalStudyInterface_SF_Port)"
  <wsp:PolicyReference URI="oracle/wss_username_token_client_policy"
                       orawsp:category="security" orawsp:status="enabled"/>
  <property name="weblogic.wsee.wsat.transaction.flowOption"
            type="xs:string" many="false">WSDLDriven</property>
  <property name="oracle.webservices.auth.username" type="xs:string"
            many="false" override="may">user</property>
  <property name="oracle.webservices.auth.password" type="xs:string"
            many="false" override="may">pass</property>


In Weblogic you can configure whether to use the Demo SSL trust configuration, or your custom one. Connecto to the Admin Server. Go to servers:


Click on Admin Server, then select Configuration / Keystores


And you can change the Keystores source using the Change Button.


In order to change the keystores, you need to “Lock & Edit” the session. There is no need to reboot the server after this changes; only remember to Save and Activate the session.

1 Response
Add your response

really cool, thanks a lot for the comprehensive explanation

over 1 year ago ·