Oracle Soa Suite 12C: Solving a bug

Oracle Soa Suite 12C: Solving a bug

Published on: Category: Oracle

For a customer in the Netherlands, in the healthcare division, Qualogy is implementing Oracle SOA Suite 12c(12.1.3) and Oracle Service Bus 12c(12.1.3). For connection with a WebService to a backoffice system, we enabled SSL and the OWSM Policy oracle/wss_username_token_over_ssl_service_policy:

We enabled SSL on domain level, created the necessary keystores regarding trust and Identity. After restarting the domain, all alerts in the Fusion Middleware Console seems to have dissappeared.

Oracle raised an official bug for this, Bug 20599654 – OSB Pipeline alerts are not displayed in EM console when SSL is enabled which is under investigation at Oracle Product Development since begin of march, upto now.

What we saw appearing in the logs was that, when we enabled SSL at domainlevel, the OSB aggregator, which aggregates all OSB alert data, was not able to connect over the t3s protocol WebLogic uses for internal applications to connect with eachother over RMI. We saw these messages:

  1. Caused by: javax.naming.CommunicationException: t3://<hostname>.local:7010,<hostname>.local:7020: Destination <ip adress>, 7020 unreachable; nested exception is:
  2. java.net.ConnectException: Connection refused; No available router to destination [Root exception is java.net.ConnectException: t3://<hostname>.local:7010,<hostname>.local:7020: Destination <ip adress>, 7020 unreachable; nested exception is:
  3. java.net.ConnectException: Connection refused; No available router to destination]
  4. at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:40)

Besides of Product Development working on the bug, I started an investigation and found the solution for this.

These are the steps I took:

WebLogic Domain Level

Only the managed servers contained the SSL domain config; I also configured AdminServer not to use demo certificates but the configured trust and identity stores:

 Nodemanagers

After further investigation, I discovered the Nodemanagers were not included to use the SSL keystore configuration, so I added to the nodemanager.properties ( in <Domain home>/nodemanager) on all hosts:

  1. KeyStores=CustomIdentityAndCustomTrust
  2. CustomIdentityKeyStoreFileName=<location Identity Keystore >
  3. CustomIdentityKeyStorePassPhrase=<Password Identity Keystore>
  4. CustomIdentityAlias=<Alias in ID Keysotre >
  5. CustomIdentityPrivateKeyPassPhrase=<Password Identity Keystore>

After this, the Nodemanagers needs to be restarted. After restart you see the password entries are encrypted.

Also the entire domain had to be restarted. To check if the WebLogic domain was listening on SSL  the linux command:

  1. netstat -ntpl | grep 70

Alerts in Fusion Middleware console

Now after restart, we saw that we are using SSL now. We generated some testmessages and did some pipeline validations, and voila.

Publicatiedatum: 20 april 2015

Michel Schildmeijer
About the author Michel Schildmeijer

Having made his start in the pharmacy sector, Michel transitioned to IT in 1996, working on a UNIX TTY terminal-based system and the MUMPS language. He currently works as a solutions architect at Qualogy, with a focus on middleware, application integration and service-oriented architecture. His passion for middleware started in 2000 when working as a support analyst for a financial institute with BEA WebLogic and Tuxedo. Michel is an expert on the WebLogic platform. He serves customers in his role as architect and advises them in all aspects of their IT landscape. He became an Oracle ACE in 2012 and wrote two books about WebLogic: Oracle WebLogic Server 11gR1 PS2: Administration Essentials and Oracle WebLogic Server 12c: First Look. He is a well-known speaker at national and international conferences and is recognised as an official Oracle Speaker. Read his blog: https://community.oracle.com/blogs/mnemonic

More posts by Michel Schildmeijer
Comments
Reply