Oracle ICS : Import ERP Cloud certificates

One of the pre-requisites to implement callback from ERP cloud to Oracle ICS is importing the ERP cloud certificates into ICS to authenticate SAML assertion from Oracle ERP cloud.

First we will cover how to retrieve the certificates:

1. The ERP cloud certificates can be retrieved from the Catalog Service WSDL URL.
The WSDL URL is like below:

R12: https://hostname/fndAppCoreServices/ServiceCatalogService?WSDL
R12: https://hostname/fscmService/ServiceCatalogService?WSDL

Enter the WSDL URL in your browser. Once loaded, navigate to X509Certificate element like shown below:

2. Copy each certificate string and in notepad make like below:

-----BEGIN CERTIFICATE-----
YIOUMIIDbDCCAlSgAwIBAgIGAVMkh+/kMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdNe
-----END CERTIFICATE-----

3. Save this file as erp_certificate1.cer
4. Repeat for second certificate line and save as erp_certificate2.cer

Now that we have both certificates we will import them into Oracle ICS

1. Login to Oracle ICS console
2. On the left navigation bar go to Integrations
3. Click on Settings

4. Under Settings select Certificates

5. On upper-right corner click on Upload
6. Select Type: Message Protection Certificate. Enter a valid name and browse and upload your certificate 1

7. Repeat for certificate 2

There done.


Helpful?? Please Comment

Happy Learning!!

SOA 12c : SunCertPathBuilderException: unable to find valid certification path to requested target

Here is what you should do if you are exposing your SOA or any other service securely and on invocation getting  the below error.

Error- 

javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause-

The reason for the error is that the certificates are not part of the trust store or when a server changed their HTTPS SSL certificate, the older version of Java did not recognize the root certificate authority (CA).

Solution-

1. Access the HTTPS service in the browser. Click on the HTTPS certificate chain (there is lock icon in the Internet Explorer, or the domain name left of the URL in Firefox) and navigate the certificate hierarchy
2. Export the certificates, generally Root, Secure and your certificate.crt to a tmp directory
3. To verify the root certificates, determine where the cacerts file is located. By default it is in jre/lib/security/cacerts under your JDK home
4. Navigate to directory and execute the below command:
  
keytool -list -v keystore ./cacerts


You will be prompted for password, Enter password  and check if the certificates are present inside the file.

5. Assuming that the certificates are called; exampleroot.crt, examplesecure.crt and example.crt type the command below:

keytool -keystore ./cacerts -import -alias exampleroot -file /tmp/exampleroot.crt

6. You will be prompted for password, Enter password. and Respond 'yes' to trust this key.
7. Repeat for remaining certificates.
8. Restart your JVM and test.  

Now you will be able to access/invoke HTTPS URL. 

Note: If you are using custom trust store, make sure that the key-store is  part of the startup parameter of your server.



Helpful? Please Comment.

Happy Learning!!