Skip to main content

Import Certificate in Oracle OPSS Keystore Service(KSS)

Import Certificate in Oracle OPSS Keystore Service(KSS)


OPSS Keystore Service provides an alternate mechanism to manage keys and certificates for message security. The OPSS Keystore Service makes using certificates and keys easier by providing central management and storage of keys and certificates for all servers in a domain. You use the OPSS Keystore Service to create and maintain keystores of type KSS.

In SOA 12c, OPSS is configured to use the database instead of the file system by default.
Now every time an Expanded, Compact or Integrated Domain is created, the following settings will be seen in the Keystore tab.


The above KSS (Key Store Service) nomenclature indicates that the Keystore is being handled within OPSS rather than the standard Java Keytool. So in order to import a certificate, you have to:

1. Download the certificate which has the entire chain.

2. Log in to Fusion Middleware Control (EM).

3. From the navigation pane, locate the domain i.e "SOA Domain"

4. Navigate to Security, then Keystore. The Keystore page appears.

5. Expand the stripe in which the Keystore resides and  Select the row corresponding to the Keystore. For this case system -> trust
We will use Trustore to place the certificate to call the external SSL partner link.

6. click Manage.

7. If the Keystore is password-protected, you are prompted for a password. Enter the Keystore password and click OK.

8. The Manage Certificates page appears. Click Import.

9. The Import Certificate dialog appears.

10. Select the certificate type, either Certificate or Trusted Certificate, from the drop-down. For this case use "Trusted Certificate"

11. Provide an alias i.e "testTrust"

12. Specify the certificate source. If using the Paste option, copy and paste the certificate directly into the text box. If using the Select a file option, click Browse to select the file from the operating system.

13. Click OK. The imported certificate or trusted certificate appears in the list of certificates.

14. Click OK.

15. Bounce the managed server.

16. Repeat steps 2 - 5 and verify the certificate appears in the list of certificates.

 

If the application WSDL is certificate authority (CA)-certified, you must update FMW_HOME/user_projects/domains/WLS_SOA/bin/setDomainEnv.sh as follows:

 

1) Open FMW_HOME/user_projects/domains/WLS_SOA/bin/setDomainEnv.sh.


2) In EXTRA_JAVA_PROPERTIES:

Replace:

-Djavax.net.ssl.trustStore=%WL_HOME%\server\lib\DemoTrust.jks

With:

-Djavax.net.ssl.trustStore=kss://system/trust -Djavax.net.ssl.trustStoreType=kss

 

 

Note: In case problem persist, make sure you have removed the DemoTrust.jks. This can be done by modifying the setDomainEnv.sh script, removing the following:
-Djavax.net.ssl.trustStore=${WL_HOME}/server/lib/DemoTrust.jks






If you like please follow and comment
Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

How to Validate TDE Wallet Password in Oracle Database

How to Validate TDE Wallet Password in Oracle Database Validating the Transparent Data Encryption (TDE) wallet password is crucial, especially when ensuring that the password is correct without using the OPEN or CLOSE commands in the database. This blog post explains a straightforward method to validate the TDE password using the mkstore utility. Steps to Validate TDE Wallet Password Follow these steps to validate the TDE wallet password: Step 1: Copy the Keystore/Wallet File Navigate to your existing TDE wallet directory. Copy only the ewallet.p12 file to a new directory. If a cwallet.sso file exists, do not copy it . The absence of cwallet.sso ensures that the wallet does not use auto-login, forcing the utility to prompt for the password. Step 2: Validate Using mkstore Use the mkstore utility to check the contents of the wallet file. The mkstore utility will prompt you for the TDE wallet password, allowing you to validate its correctness. Command Syntax To display the conten...
Post a Comment
Read more

Rename a PDB in Oracle Database Multitenant Architecture in TDE and Non TDE Environment

Rename a PDB in Oracle Database Multitenant Architecture I am sharing a step-by-step guide to help you rename a PDB. This approach uses SQL commands. Without TDE or encryption Wallet Initial Check Check the Current Database Name and Open Mode: SQL > SELECT NAME, OPEN_MODE FROM V$DATABASE; NAME OPEN_MODE --------- -------------------- BEECDB READ WRITE List Current PDBs: SQL > SHOW PDBS; CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 FUAT READ WRITE NO We need to RENAME FUAT to BEE  Steps to Rename the PDB Step 1: Export ORACLE_SID Set the Oracle SID to the Container Database (CDB): export ORACLE_SID=BEECDB Step 2: Verify Target PDB Name Availability If the target PDB name is different from the current PDB name, ensure no service exists with the target PDB name. Run SQL to Check Exi...
Post a Comment
Read more