Pages

Friday, June 1, 2018

Invoking HTTPS Service Request from Oracle API Platform

Oracle API Platform's API Implementation has two service naming convention 1) API Request 2) Service Request.

API Request - is the endpoint to which users or applications send requests for your API.

Service Request - is the URL at which your back-end service receives requests.

In this blog we are going to discuss what are the additional configuration we need to done inside API Platform Gateway Server while invoking a HTTPS Service Request URL.

Since, its HTTPS URL obviously there is associated SSL cert with that URL which is signed by Certificate Authority.

Recently, I have been doing one POC where I was invoking a Service Request HTTPS URL but it was not working and later found out it's because of associated SSL certificate was not configured in Weblogic JKS Keystore.

Before, I get into detailed solution, let me tell you bit more about problem. At very initial stage when I tried creating an API which is in-turn calling an HTTPS service request, it was failing while invoking that service from rest POSTMAN tool and was getting "Internal Server error" as per below snap.


1

It was quite tricky to find out what's went wrong in back-end which was resulting above error. After struggling a bit I found one very important log file "Default.log" for API Gateway server aka Oracle Communication Service Gatekeeper (OCSG) Server, located at e.g. /u01/apics/install/domain/gateway1/servers/managedServer1/trace/ path. In your case "/u01/apics" might be different, but rest PATH should be same.

This logs, clearly state there was issue with SSL Handshake and was getting "javax.net.ssl.SSLHandshakeException: General SSLEngine problem" error as per given snap-


2




After, looking the message it was very clear that Weblogic Server where the API Gateway running was not trusting this HTTPS service request URL, as result above error was coming.

So, next challenge to get the HTTPS Certificate for this URL and import into Weblogic KeyStore.
Getting SSL Certificate for this HTTPS URL is quite easy, using any browser. In my case I opened URL into Mozila browser and export the same from there.

Open Service Request HTTPS URL in browser. In address bar green color keypad lock sign will appear, click on that, further click on ">" sign, click on "more information"  which will take you the dialog page where you can view certificate and export that certificate as per below snap.

3
4

So, now you got the SSL Certificate for this URL, next steps is to import this SSL Cert into Weblogic KeyStore. Before we do that, we need to know where the Keystore JKS file reside. In order to that, login to API Gateway Node Weblogic Console and Select the Managed Server and then Keystore as per below snap -

5
In above snap you can noticed that Weblogic is using two keystore files to validate what are cert Weblogic needs to trust. We can import downloaded cert into either of DemoTrust.jks or cacerts file.
In my case I tried out using DemoTruest.jks but feel free to use same command for cacerts file as well.

Now, you know that location, so jump into that location, take a backup of existing file by rename it and then import downloaded certificate. Below are the useful command to import and verify SSL cert after import.

$keytool -keystore DemoTrust.jks -import -alias opcau -file /home/opc/-opcaucom.crt -storepass DemoTrustKeyStorePassPhrase

6
7

$keytool -list -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase | grep -i opcau

9

So, now we have imported Service Request HTTPS URL SSL Certificate into API Gateway Server Weblogic KeyStore.

Note: You must restart the API Gateway server after this configuration to take it effect using below below commands. Make sure you in directory where "APIGateway" script located which could very based up installation of your environment.

$./APIGateway -f gateway-props.json -a stop

11

$./APIGateway -f gateway-props.json -a start

12

Now, API Platform Gateway Server started, test your API again and you should be able to invoke HTTP Service Request now.

10

Conclusion:

Just to summarized, that we have learned that when we need to invoke a HTTPS URL as Service Request, we must need to import associated SSL Certificate into Weblogic Keystore. This is common approach whenever we are invoking any HTTPS based resource for any component deployed on Weblogic. I hope this blog will helpful for reader struggling to fix HTTPS related configuration inside Weblogic.

Happy Blogging :)

No comments:

Post a Comment